dridex | 4045c8c25b01a13d4ddb043efc4b03c5cf9d59fd5a85eb8403576fabf992af7d

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4045c8c25b01a13d4ddb043efc4b03c5cf9d59fd5a85eb8403576fabf992af7d.dll
Size

1.2MB
MD5

a85440e55b4cbf0624dff9e908308693
SHA1

acd4bdee53cd2d77cfc312ec032c0cb5ff97dfbe
SHA256

4045c8c25b01a13d4ddb043efc4b03c5cf9d59fd5a85eb8403576fabf992af7d
SHA512

53a240857da2b0707d09a534ae69e26ea59ae831b21c195e99b312f550263df59f04c951bab053e954baeb90de50067ec8f662dc74df9455f8984feda365f21d
SSDEEP

12288:qqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baedh:qqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3424-4-0x0000000002FB0000-0x0000000002FB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/3608-1-0x0000000140000000-0x0000000140127000-memory.dmp	dridex_payload
behavioral2/memory/3424-24-0x0000000140000000-0x0000000140127000-memory.dmp	dridex_payload
behavioral2/memory/3424-35-0x0000000140000000-0x0000000140127000-memory.dmp	dridex_payload
behavioral2/memory/3608-38-0x0000000140000000-0x0000000140127000-memory.dmp	dridex_payload
behavioral2/memory/1660-46-0x0000000140000000-0x0000000140128000-memory.dmp	dridex_payload
behavioral2/memory/1660-50-0x0000000140000000-0x0000000140128000-memory.dmp	dridex_payload
behavioral2/memory/3892-66-0x0000000140000000-0x0000000140128000-memory.dmp	dridex_payload
behavioral2/memory/3484-77-0x0000000140000000-0x000000014016D000-memory.dmp	dridex_payload
behavioral2/memory/3484-81-0x0000000140000000-0x000000014016D000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1660	tabcal.exe
3892	SndVol.exe
3484	sessionmsg.exe

Loads dropped DLL 3 IoCs

pid	Process
1660	tabcal.exe
3892	SndVol.exe
3484	sessionmsg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\NF5K\\SndVol.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3608	rundll32.exe
3608	rundll32.exe
3608	rundll32.exe
3608	rundll32.exe
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3424	Process not Found
3424	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 3816	3424	Process not Found	94
PID 3424 wrote to memory of 3816	3424	Process not Found	94
PID 3424 wrote to memory of 1660	3424	Process not Found	95
PID 3424 wrote to memory of 1660	3424	Process not Found	95
PID 3424 wrote to memory of 1960	3424	Process not Found	96
PID 3424 wrote to memory of 1960	3424	Process not Found	96
PID 3424 wrote to memory of 3892	3424	Process not Found	97
PID 3424 wrote to memory of 3892	3424	Process not Found	97
PID 3424 wrote to memory of 5092	3424	Process not Found	98
PID 3424 wrote to memory of 5092	3424	Process not Found	98
PID 3424 wrote to memory of 3484	3424	Process not Found	99
PID 3424 wrote to memory of 3484	3424	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4045c8c25b01a13d4ddb043efc4b03c5cf9d59fd5a85eb8403576fabf992af7d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:3816

C:\Users\Admin\AppData\Local\A7CB\tabcal.exe
C:\Users\Admin\AppData\Local\A7CB\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1660

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:1960

C:\Users\Admin\AppData\Local\Rhl\SndVol.exe
C:\Users\Admin\AppData\Local\Rhl\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3892

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:5092

C:\Users\Admin\AppData\Local\Yvr6R\sessionmsg.exe
C:\Users\Admin\AppData\Local\Yvr6R\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\A7CB\HID.DLL

Filesize
1.2MB

MD5
d99000962e2cef5e9513c181dec83069

SHA1
6052684a76e1a7184c25c82ebdc9330e02054fcb

SHA256
1b8f4356d9402e5c6b95a908ccbf00126a0680fcefb04d668238d9e3682cb2d7

SHA512
3cf7d995c4405ba4e370b28404be0744d57f30547214fee64d92fedac1d1f67a2f4d84538b23d7b1a78a80ba4640ba35c9170f0a1167a406b56a950c3f8c8860

Download Submit
C:\Users\Admin\AppData\Local\A7CB\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Local\Rhl\SndVol.exe

Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\Rhl\dwmapi.dll

Filesize
1.2MB

MD5
ba7e04d50a95cc0bb031f6a98f29f439

SHA1
f99acf9b73eb14458b50f24cf99befcf3e4ee002

SHA256
2f9a9d6fbfc81a826eea23eb4dafaecc1fd462a2af0e7bff7a711f9448d9bbea

SHA512
85ce4023de6730144efc8fc4a82ae973e6dd4b0a1a35a152f014dfe0bf30abc1cf0693fceefba17795b68a22f04d3e70603d9c944241ce320983714858f7fe1a

Download Submit
C:\Users\Admin\AppData\Local\Yvr6R\DUI70.dll

Filesize
1.4MB

MD5
3a95189a55297c8763a2bb3c2b5b9146

SHA1
fe0e1229721d624baada62c56755ded7f96d4a1a

SHA256
d38bbb9b03509a1498516572205cd9fddae88fd8b906b5e8db529e503046c3e9

SHA512
93adc5b73379e7927d35c4e4e101bb58da8caa455e2a95ca2bfe83f491fd413fd021832c309145fa69e22d5a9e189bcfb94045347da6658eb867a0760fcaf561

Download Submit
C:\Users\Admin\AppData\Local\Yvr6R\sessionmsg.exe

Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
9550f8c5befd10fcba03b3819beae6d6

SHA1
a12d75bff81f942422182d67bf7b76b33a8a0c9f

SHA256
ab0d005b3d2f624cc136bc3392ef01c4ff1f92f051795a2e237ba0e18183d440

SHA512
8f2da0b5d5d2d737c204d18304fea58d730aeff2e3d9a370b34eba4260b4b0194dd6112a2e2ca44bb40805207bb7a6ebc2048c7bff261fc109db8a123d71ce99

Download Submit
memory/1660-50-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download
memory/1660-46-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download
memory/1660-45-0x000001951B620000-0x000001951B627000-memory.dmp

Filesize
28KB

Download
memory/3424-13-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-24-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-25-0x00007FFD53360000-0x00007FFD53370000-memory.dmp

Filesize
64KB

Download
memory/3424-12-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-11-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-10-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-8-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-7-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-6-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-4-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/3424-26-0x00007FFD53350000-0x00007FFD53360000-memory.dmp

Filesize
64KB

Download
memory/3424-35-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-3-0x00007FFD5166A000-0x00007FFD5166B000-memory.dmp

Filesize
4KB

Download
memory/3424-15-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-23-0x0000000001200000-0x0000000001207000-memory.dmp

Filesize
28KB

Download
memory/3424-14-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3424-9-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3484-77-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/3484-81-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/3608-0-0x000002D513D70000-0x000002D513D77000-memory.dmp

Filesize
28KB

Download
memory/3608-38-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3608-1-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/3892-63-0x000001FCED990000-0x000001FCED997000-memory.dmp

Filesize
28KB

Download
memory/3892-66-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download