dridex | af901d0533a3adcfec12e7844859f70bd22dffc6e83c54fd48cf13cdabc77600

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af901d0533a3adcfec12e7844859f70bd22dffc6e83c54fd48cf13cdabc77600.dll
Size

904KB
MD5

40d159e05ca3922e4c803ccf5614a085
SHA1

577e7196c8d2a022a49cc0381f9dea716c577be4
SHA256

af901d0533a3adcfec12e7844859f70bd22dffc6e83c54fd48cf13cdabc77600
SHA512

6be1af6877eea2b53ecfdd32596ba9b8465b3885537cb7847a9795b2f92effdf8fafeb654113bceca62c83045fe9c717a2543ee215543b517c85d420745fa67f
SSDEEP

12288:SqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:SqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3544-3-0x0000000000950000-0x0000000000951000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4592-1-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/3544-35-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/3544-24-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/4592-38-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/2100-46-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral2/memory/2100-50-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral2/memory/4324-66-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral2/memory/2020-81-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2100	dxgiadaptercache.exe
4324	SystemPropertiesComputerName.exe
2020	upfc.exe

Loads dropped DLL 3 IoCs

pid	Process
2100	dxgiadaptercache.exe
4324	SystemPropertiesComputerName.exe
2020	upfc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\Jdm6VH2\\SYSTEM~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4592	rundll32.exe
4592	rundll32.exe
4592	rundll32.exe
4592	rundll32.exe
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found
3544	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3544	Process not Found
Token: SeCreatePagefilePrivilege	3544	Process not Found
Token: SeShutdownPrivilege	3544	Process not Found
Token: SeCreatePagefilePrivilege	3544	Process not Found
Token: SeShutdownPrivilege	3544	Process not Found
Token: SeCreatePagefilePrivilege	3544	Process not Found
Token: SeShutdownPrivilege	3544	Process not Found
Token: SeCreatePagefilePrivilege	3544	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3544	Process not Found
3544	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1124	3544	Process not Found	97
PID 3544 wrote to memory of 1124	3544	Process not Found	97
PID 3544 wrote to memory of 2100	3544	Process not Found	98
PID 3544 wrote to memory of 2100	3544	Process not Found	98
PID 3544 wrote to memory of 948	3544	Process not Found	99
PID 3544 wrote to memory of 948	3544	Process not Found	99
PID 3544 wrote to memory of 4324	3544	Process not Found	100
PID 3544 wrote to memory of 4324	3544	Process not Found	100
PID 3544 wrote to memory of 4332	3544	Process not Found	101
PID 3544 wrote to memory of 4332	3544	Process not Found	101
PID 3544 wrote to memory of 2020	3544	Process not Found	102
PID 3544 wrote to memory of 2020	3544	Process not Found	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af901d0533a3adcfec12e7844859f70bd22dffc6e83c54fd48cf13cdabc77600.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:1124

C:\Users\Admin\AppData\Local\CY0\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\CY0\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2100

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:948

C:\Users\Admin\AppData\Local\qT0c\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\qT0c\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4324

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:4332

C:\Users\Admin\AppData\Local\CcqlJYJo\upfc.exe
C:\Users\Admin\AppData\Local\CcqlJYJo\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CY0\dxgi.dll

Filesize
908KB

MD5
9c03028368db60c7c6dac611a32ece41

SHA1
5bfd41c3c88f4cbca40a56f4d93d0353d7ba0a69

SHA256
cc68c94747e3cd2e1eba42f8c7db286cc429f07ae4c71365ca7481a5abe50f39

SHA512
080cc7aa7e58e24ce473c1fc2987292bb5a3b03f15abc787823b8ed48a7c79e29bd7bb05ebcda2e0151b013c0b69251b1cad4b083fb98b49b1210c342dbb5334

Download Submit
C:\Users\Admin\AppData\Local\CY0\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\CcqlJYJo\XmlLite.dll

Filesize
908KB

MD5
f6b33c6d0b8c7e7c3925ab4fd242df75

SHA1
4d2d1b1255fc882a9d2f954337f4bc92b878b62f

SHA256
263d423b83105fb82b40d9c4b50a03a7168786975df038d031c9b6cdd03a899d

SHA512
c6093b0765f08baa9b62c8f09083cbf5df92f3071ea288d2a870e708e89fe5312b8beda32ac3dbde2afe99e54c1ae00fae17b0817abf99904d597a653c6c0618

Download Submit
C:\Users\Admin\AppData\Local\CcqlJYJo\upfc.exe

Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\qT0c\SYSDM.CPL

Filesize
908KB

MD5
761a7f36b2445080b14a8cbe35a66eed

SHA1
b83a18f299f35204f125951ede7d45c64449538c

SHA256
15f717c562aed931536ad595853a87505e1a21e351e77f8f945c91aa572510ef

SHA512
0c951b834a203bdcbce85641e4bf77b863f4ec499b2ca8eef128cd0e0ec7e2138578b021f50b16791e3cdc316ee689536c8cbbeaa47cf4669aee916c6558e488

Download Submit
C:\Users\Admin\AppData\Local\qT0c\SystemPropertiesComputerName.exe

Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

Filesize
1KB

MD5
6ebe36862546966040cfea01e6f02243

SHA1
cd49b76974d56688bde80bb70763ebee63516657

SHA256
70b65f0f7186f5b413919743d68193fcce6841605d40bb5a40fd014703e8903f

SHA512
161303044981a62b2c1ba55fc61e4a1cbf723140942081e82c477e5bd05550d0f8178617b8e64fd49fc824db5f867fdf742eda5ff8c3cca0964068340da74830

Download Submit
memory/2020-81-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/2100-50-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/2100-46-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/2100-45-0x000002D0591F0000-0x000002D0591F7000-memory.dmp

Filesize
28KB

Download
memory/3544-15-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-23-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/3544-25-0x00007FFF34B20000-0x00007FFF34B30000-memory.dmp

Filesize
64KB

Download
memory/3544-24-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-13-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-12-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-11-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-9-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-8-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-26-0x00007FFF34B10000-0x00007FFF34B20000-memory.dmp

Filesize
64KB

Download
memory/3544-14-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-35-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-7-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-3-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3544-5-0x00007FFF33FCA000-0x00007FFF33FCB000-memory.dmp

Filesize
4KB

Download
memory/3544-10-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-6-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4324-66-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/4324-61-0x000002556B210000-0x000002556B217000-memory.dmp

Filesize
28KB

Download
memory/4592-0-0x0000020A2AF20000-0x0000020A2AF27000-memory.dmp

Filesize
28KB

Download
memory/4592-38-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4592-1-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download