dridex | 642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9.dll
Size

900KB
MD5

42b74b886c2d75ff9bf4636e558d7ee2
SHA1

096a9d095b93fd378afdc04e04f0d82d23320b3d
SHA256

642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9
SHA512

688ad13892a5e66726574759fd21579887e2452b54397682a81643735ef050dd4fc4a8d152183802ad7f15f80eb2cdf889aa67a1b9050dcfd813cad00b363c78
SSDEEP

12288:CqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed1aaw6:CqGBHTxvt+g2gYed1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3500-3-0x0000000003340000-0x0000000003341000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4292-1-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral2/memory/3500-34-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral2/memory/3500-23-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral2/memory/4292-37-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral2/memory/5064-45-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/5064-49-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/4160-61-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral2/memory/4160-65-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral2/memory/3868-80-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
5064	dxgiadaptercache.exe
4160	RdpSa.exe
3868	SystemPropertiesHardware.exe

Loads dropped DLL 3 IoCs

pid	Process
5064	dxgiadaptercache.exe
4160	RdpSa.exe
3868	SystemPropertiesHardware.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\54JDh\\RdpSa.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4292	rundll32.exe
4292	rundll32.exe
4292	rundll32.exe
4292	rundll32.exe
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 1540	3500	Process not Found	94
PID 3500 wrote to memory of 1540	3500	Process not Found	94
PID 3500 wrote to memory of 5064	3500	Process not Found	95
PID 3500 wrote to memory of 5064	3500	Process not Found	95
PID 3500 wrote to memory of 1076	3500	Process not Found	96
PID 3500 wrote to memory of 1076	3500	Process not Found	96
PID 3500 wrote to memory of 4160	3500	Process not Found	97
PID 3500 wrote to memory of 4160	3500	Process not Found	97
PID 3500 wrote to memory of 1628	3500	Process not Found	98
PID 3500 wrote to memory of 1628	3500	Process not Found	98
PID 3500 wrote to memory of 3868	3500	Process not Found	99
PID 3500 wrote to memory of 3868	3500	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:1540

C:\Users\Admin\AppData\Local\A3xp0ohH7\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\A3xp0ohH7\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5064

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:1076

C:\Users\Admin\AppData\Local\vKkZsYTCe\RdpSa.exe
C:\Users\Admin\AppData\Local\vKkZsYTCe\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4160

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1628

C:\Users\Admin\AppData\Local\j23jfwqKq\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\j23jfwqKq\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\A3xp0ohH7\dxgi.dll

Filesize
904KB

MD5
8fd8a98cc1cd9842dc860e5274316cb3

SHA1
43fa69e7956adae0f6df5fe786cd1f9db3a27b56

SHA256
6ea5132a4e730b11eefcf09f02b9d866beb05313b680e506a2592e882d736ff5

SHA512
41800120564e0e44b37ceb36e51c74260cd44cfbed12c1e69c62cd1f6ff0158770834a972dc65a1d775cb306ad90515da741955e65a9f0c507696874eb9fafcb

Download Submit
C:\Users\Admin\AppData\Local\A3xp0ohH7\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\j23jfwqKq\SYSDM.CPL

Filesize
904KB

MD5
f56456f3442961e1bd2d6d8409e91b66

SHA1
31b22fea346a6541114f716465d916b155523da5

SHA256
e2911c6f45a18c6e59e870d82463e5ff168265a315c64fd51a04543752033d81

SHA512
8d017fa7739ce59dd8eac77869066c599cb277c0ec32243dcd92ef77e7b5ebc80db42b4d0fcddd1cde4ddd3aa2e7b2c7f14043be11354033198139affd5a22d7

Download Submit
C:\Users\Admin\AppData\Local\j23jfwqKq\SystemPropertiesHardware.exe

Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Local\vKkZsYTCe\RdpSa.exe

Filesize
56KB

MD5
5992f5b5d0b296b83877da15b54dd1b4

SHA1
0d87be8d4b7aeada4b55d1d05c0539df892f8f82

SHA256
32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

SHA512
4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

Download Submit
C:\Users\Admin\AppData\Local\vKkZsYTCe\WINSTA.dll

Filesize
908KB

MD5
54f9e684743cba1436cf1afb50ce1037

SHA1
122120248fce6de9fcbbc24d6e985702aa70c41a

SHA256
a3f68dd651513457c66962932cc26ddd0e0b0d258c9ba4fb3c8b07c583d599ab

SHA512
bb518ea6fbbb33f51acf48ef8bc4278e3e310b6cab72a125cf38391bc95b7ddf3eb1ff7d14a87c18768d7b1df02560dd966f611a8c82dead75a9b626883006e7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
60793ee039709a8cee36bdcd5733f8de

SHA1
9be7ea6d2940fb63017c34ade9b4758c061d3a6b

SHA256
cd80c76a24b0f66cc86687aa948df7af5d47c126d4148294487fe3608534cdda

SHA512
bc0870290433baef37cde6c23a8bfad02c75df0fcb91a36d6124b7ed3cf0ecfa7b1b58136ea877d6dc907a2a8985907f923d3c260f4fec075cc7184aee7f020c

Download Submit
memory/3500-12-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-22-0x0000000001560000-0x0000000001567000-memory.dmp

Filesize
28KB

Download
memory/3500-34-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-25-0x00007FF95E750000-0x00007FF95E760000-memory.dmp

Filesize
64KB

Download
memory/3500-24-0x00007FF95E760000-0x00007FF95E770000-memory.dmp

Filesize
64KB

Download
memory/3500-23-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-11-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-10-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-9-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-7-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-6-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-3-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/3500-14-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-4-0x00007FF95DCFA000-0x00007FF95DCFB000-memory.dmp

Filesize
4KB

Download
memory/3500-8-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3500-13-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3868-80-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4160-60-0x0000015E12B80000-0x0000015E12B87000-memory.dmp

Filesize
28KB

Download
memory/4160-61-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/4160-65-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/4292-0-0x00000234023E0000-0x00000234023E7000-memory.dmp

Filesize
28KB

Download
memory/4292-37-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/4292-1-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/5064-49-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5064-45-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5064-44-0x00000220377B0000-0x00000220377B7000-memory.dmp

Filesize
28KB

Download