dridex | 642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9

Analysis

max time kernel
134s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9.dll
Size

900KB
MD5

42b74b886c2d75ff9bf4636e558d7ee2
SHA1

096a9d095b93fd378afdc04e04f0d82d23320b3d
SHA256

642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9
SHA512

688ad13892a5e66726574759fd21579887e2452b54397682a81643735ef050dd4fc4a8d152183802ad7f15f80eb2cdf889aa67a1b9050dcfd813cad00b363c78
SSDEEP

12288:CqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed1aaw6:CqGBHTxvt+g2gYed1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3424-4-0x0000000002FD0000-0x0000000002FD1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2944-1-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral2/memory/3424-23-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral2/memory/3424-35-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral2/memory/2944-37-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral2/memory/3680-48-0x0000000140000000-0x00000001400E8000-memory.dmp	dridex_payload
behavioral2/memory/3680-49-0x0000000140000000-0x00000001400E8000-memory.dmp	dridex_payload
behavioral2/memory/4792-56-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral2/memory/4792-61-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral2/memory/5100-72-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/5100-76-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/1956-91-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload

Executes dropped EXE 4 IoCs

Processes:

mmc.exeRdpSa.exequickassist.exeGamePanel.exe

pid process

3680 mmc.exe
4792 RdpSa.exe
5100 quickassist.exe
1956 GamePanel.exe
Loads dropped DLL 5 IoCs

Processes:

mmc.exeRdpSa.exequickassist.exeGamePanel.exe

pid process

3680 mmc.exe
3680 mmc.exe
4792 RdpSa.exe
5100 quickassist.exe
1956 GamePanel.exe

pid	process
3680	mmc.exe
4792	RdpSa.exe
5100	quickassist.exe
1956	GamePanel.exe

pid	process
3680	mmc.exe
3680	mmc.exe
4792	RdpSa.exe
5100	quickassist.exe
1956	GamePanel.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\BGI4GC~1\\QUICKA~1.EXE"

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemmc.exeRdpSa.exequickassist.exeGamePanel.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	quickassist.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GamePanel.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2944	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3424
3424

pid	process
3424
3424

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3424 wrote to memory of 1740	3424	mmc.exe
PID 3424 wrote to memory of 1740	3424	mmc.exe
PID 3424 wrote to memory of 3680	3424	mmc.exe
PID 3424 wrote to memory of 3680	3424	mmc.exe
PID 3424 wrote to memory of 4112	3424	RdpSa.exe
PID 3424 wrote to memory of 4112	3424	RdpSa.exe
PID 3424 wrote to memory of 4792	3424	RdpSa.exe
PID 3424 wrote to memory of 4792	3424	RdpSa.exe
PID 3424 wrote to memory of 5104	3424	quickassist.exe
PID 3424 wrote to memory of 5104	3424	quickassist.exe
PID 3424 wrote to memory of 5100	3424	quickassist.exe
PID 3424 wrote to memory of 5100	3424	quickassist.exe
PID 3424 wrote to memory of 2084	3424	GamePanel.exe
PID 3424 wrote to memory of 2084	3424	GamePanel.exe
PID 3424 wrote to memory of 1956	3424	GamePanel.exe
PID 3424 wrote to memory of 1956	3424	GamePanel.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:1740

C:\Users\Admin\AppData\Local\T97Fx73O\mmc.exe
C:\Users\Admin\AppData\Local\T97Fx73O\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3680

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:4112

C:\Users\Admin\AppData\Local\cJ0xH\RdpSa.exe
C:\Users\Admin\AppData\Local\cJ0xH\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4792

C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
1⤵
PID:5104

C:\Users\Admin\AppData\Local\cFG\quickassist.exe
C:\Users\Admin\AppData\Local\cFG\quickassist.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5100

C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
1⤵
PID:2084

C:\Users\Admin\AppData\Local\9rMKnv7\GamePanel.exe
C:\Users\Admin\AppData\Local\9rMKnv7\GamePanel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9rMKnv7\GamePanel.exe

Filesize
1.2MB

MD5
266f6a62c16f6a889218800762b137be

SHA1
31b9bd85a37bf0cbb38a1c30147b83671458fa72

SHA256
71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

SHA512
b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

Download Submit
C:\Users\Admin\AppData\Local\9rMKnv7\dwmapi.dll

Filesize
904KB

MD5
fe62fcdc69c19a2637823bfa7f90f485

SHA1
09413a37459f951033dbcf9cdfa122b54dfb762d

SHA256
08901ca1d2308fe8c7f11b299e57466dc227e711c224143669dfdbf1a0054123

SHA512
4d3ad227ff47328539d1c578a08ac664827c4b06e356fd08a7c223312f51a5eab813c8f7ac59b37d3d0dbf805220393c23e5b08857a714c23e381f55e63ee491

Download Submit
C:\Users\Admin\AppData\Local\T97Fx73O\MFC42u.dll

Filesize
928KB

MD5
e927fd2cac4e705788f180da5e5d1a74

SHA1
7e330d5c42457f7bec0f8bddd87c39d527965956

SHA256
fa5e21ff7075e86c0c74ecd85a1b5b99a9eedb15aac9ccd47620bef772949806

SHA512
9fc2725fd49d7445f7da239ac9dbde444d2035c8cbb7e136cc39135b404b163d1308f549561a289aabebb563e8eb9718d0d8f5e854a7cc06322ac2956087ce06

Download Submit
C:\Users\Admin\AppData\Local\T97Fx73O\mmc.exe

Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Local\cFG\UxTheme.dll

Filesize
904KB

MD5
5364e6f02b4553c9dcbb9412517f54d8

SHA1
cfe92936bbd69b631e81b7b436ad57259af3d54f

SHA256
76b81cae4bf71ee7c8e61b0df44ade65c118eb5b3e49155fac62409fe2cfa9ff

SHA512
757687e3818acae5dddf573a55b982b7200d13fbc13ed4323b9190347a65b6b092d507e303ac2eee24b6c9f159e1575deb039c59cd2869635bf9ff02cf539a06

Download Submit
C:\Users\Admin\AppData\Local\cFG\quickassist.exe

Filesize
665KB

MD5
d1216f9b9a64fd943539cc2b0ddfa439

SHA1
6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

SHA256
c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

SHA512
c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

Download Submit
C:\Users\Admin\AppData\Local\cJ0xH\RdpSa.exe

Filesize
56KB

MD5
5992f5b5d0b296b83877da15b54dd1b4

SHA1
0d87be8d4b7aeada4b55d1d05c0539df892f8f82

SHA256
32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

SHA512
4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

Download Submit
C:\Users\Admin\AppData\Local\cJ0xH\WINSTA.dll

Filesize
908KB

MD5
f42bf741993d3a613a13fbb87e56cd18

SHA1
3c9b522a3c4472fe7f89a7845cd7eb6abaa04b38

SHA256
75329e1af6ce910a8490a12706666218294543bd8ce2593b892c52dde4ef013d

SHA512
fe897360b8b9f82c0ce109c9a4c974998ac4c340811853086db87315c304a5af1011360a3b0850f7142c9a9c838fc22e54c295808671d0742fc0e924d12a5540

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
5227997d93b533c59343f20f39ecee26

SHA1
7cf0bcad86d572dd186474e5447f02729789cc1e

SHA256
bfdd93058223245241a1778d39c7eaae01a19abadfd2300e7b7e01fbadd59c42

SHA512
aa40d483f7a852f1b8e2261cee6c4fa3e01802cfda35fe37f22fcc26e4acc806d9eca73a063b67c2acd86cff4b31a7acd1a1267e39d40e4c3165a9f852d0e219

Download Submit
memory/1956-91-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2944-0-0x00000216C0E70000-0x00000216C0E77000-memory.dmp

Filesize
28KB

Download
memory/2944-37-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2944-1-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-23-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-11-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-25-0x00007FFD53350000-0x00007FFD53360000-memory.dmp

Filesize
64KB

Download
memory/3424-24-0x00007FFD53360000-0x00007FFD53370000-memory.dmp

Filesize
64KB

Download
memory/3424-35-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-8-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-9-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-10-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-4-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/3424-3-0x00007FFD5166A000-0x00007FFD5166B000-memory.dmp

Filesize
4KB

Download
memory/3424-7-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-6-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-12-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-13-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3424-22-0x0000000001240000-0x0000000001247000-memory.dmp

Filesize
28KB

Download
memory/3424-14-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3680-49-0x0000000140000000-0x00000001400E8000-memory.dmp

Filesize
928KB

Download
memory/3680-46-0x0000000001430000-0x0000000001437000-memory.dmp

Filesize
28KB

Download
memory/3680-48-0x0000000140000000-0x00000001400E8000-memory.dmp

Filesize
928KB

Download
memory/4792-61-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/4792-56-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/4792-58-0x0000016574160000-0x0000016574167000-memory.dmp

Filesize
28KB

Download
memory/5100-72-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5100-76-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download