dridex | 26c86a299c2aa7f3db082b5b3769df68c7b6372909473112b6f17969113579d9

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26c86a299c2aa7f3db082b5b3769df68c7b6372909473112b6f17969113579d9.dll
Size

700KB
MD5

eaad0504af393af4c5f770f1f921df14
SHA1

dedc04982b2d2728d5d11eb4f99d870ad89e1381
SHA256

26c86a299c2aa7f3db082b5b3769df68c7b6372909473112b6f17969113579d9
SHA512

27329a5f0f89fc395320c1f1e1f9177e8a296dbc7125119760bdec56fee37e177685759b5ae8bec632ae4876dbc725b89c7ec8ffa40f9f97a6ee7214e9154dd8
SSDEEP

12288:tqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:tqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3460-3-0x0000000000840000-0x0000000000841000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2332-0-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3460-24-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3460-35-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/2332-38-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/1988-45-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/1988-50-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/316-61-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral2/memory/316-66-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral2/memory/2316-77-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/2316-81-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1988	PresentationSettings.exe
316	DmNotificationBroker.exe
2316	MusNotifyIcon.exe

Loads dropped DLL 3 IoCs

pid	Process
1988	PresentationSettings.exe
316	DmNotificationBroker.exe
2316	MusNotifyIcon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qiqbxsgjw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3756129449-3121373848-4276368241-1000\\uXQ\\DmNotificationBroker.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DmNotificationBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	rundll32.exe
2332	rundll32.exe
2332	rundll32.exe
2332	rundll32.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3460	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 1584	3460	Process not Found	94
PID 3460 wrote to memory of 1584	3460	Process not Found	94
PID 3460 wrote to memory of 1988	3460	Process not Found	95
PID 3460 wrote to memory of 1988	3460	Process not Found	95
PID 3460 wrote to memory of 1520	3460	Process not Found	96
PID 3460 wrote to memory of 1520	3460	Process not Found	96
PID 3460 wrote to memory of 316	3460	Process not Found	97
PID 3460 wrote to memory of 316	3460	Process not Found	97
PID 3460 wrote to memory of 3972	3460	Process not Found	98
PID 3460 wrote to memory of 3972	3460	Process not Found	98
PID 3460 wrote to memory of 2316	3460	Process not Found	99
PID 3460 wrote to memory of 2316	3460	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26c86a299c2aa7f3db082b5b3769df68c7b6372909473112b6f17969113579d9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:1584

C:\Users\Admin\AppData\Local\krM4n\PresentationSettings.exe
C:\Users\Admin\AppData\Local\krM4n\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1988

C:\Windows\system32\DmNotificationBroker.exe
C:\Windows\system32\DmNotificationBroker.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\qW5Y\DmNotificationBroker.exe
C:\Users\Admin\AppData\Local\qW5Y\DmNotificationBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:316

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:3972

C:\Users\Admin\AppData\Local\rrrq\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\rrrq\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\krM4n\PresentationSettings.exe

Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\krM4n\WINMM.dll

Filesize
708KB

MD5
42da7f37589c11662d569a1a2de80a1b

SHA1
c0d37411feb8fa7c28fb90be6a7f8e51c2c5baa6

SHA256
8985be25e180c812f01edbd1c99c40101f754d725f9e865fca88b5e126de6e69

SHA512
e206b67ec3f8057e27bc37c1dc97aa10890bcb845542f907e74825aed5a48cb29de00f86b92dcaf21403d89c9812e41b28e79f78eb22345cc32fe9ca8c625956

Download Submit
C:\Users\Admin\AppData\Local\qW5Y\DUI70.dll

Filesize
980KB

MD5
fefcefe1d3a7c852f5ec607e111b7d98

SHA1
2eb1c57456640f648b789174bec224c56738f260

SHA256
e1f5634742fb8246c0c72ec0513e2b4d970b4783cc561ccb99c6e77b9f8b6436

SHA512
0577fe41e1ad2658ee333ac8781eb2cb9b43bcf7d5364e58d39aab394c43270878d44cca9e15288d27ae70cdbba409272f450d522dc0773f55b1b5ba5aebb3ae

Download Submit
C:\Users\Admin\AppData\Local\qW5Y\DmNotificationBroker.exe

Filesize
32KB

MD5
f0bdc20540d314a2aad951c7e2c88420

SHA1
4ab344595a4a81ab5f31ed96d72f217b4cee790b

SHA256
f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

SHA512
cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

Download Submit
C:\Users\Admin\AppData\Local\rrrq\MusNotifyIcon.exe

Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\rrrq\XmlLite.dll

Filesize
704KB

MD5
f6b157a6691081569156baf04d4fe0f3

SHA1
2570a5d0f9daa442fbf9d7a501d3679577c94ad2

SHA256
a6d9e9f7e66667bf99e9360fe6b2083bda1a203b12470f24b5e005ded6712409

SHA512
b39b3658693d7fcefd95112779dd1aab9913fdc0e3f5d78bca22681fb823ed424f92971ea17e09499730f9530f2df988d5987fbe18f3d2bb5f68dcfac11acba8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk

Filesize
1KB

MD5
8ce87bcd86644b1736ff8a9e62bef89b

SHA1
72c1730da5a04808918dcd989f3bc77480d58874

SHA256
a4b8423ff7541417310a6549788ae59f393b71888cabe9aa60ea8d50be252571

SHA512
6b13505ccb566bf6dec17a748db8116d66db19c5bd911a66566d517cf07cc782dc3b27610cd08ca9a6955bc0aa5c1651a459548a4fecf978b2513844f7ba7136

Download Submit
memory/316-66-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/316-63-0x0000019507A90000-0x0000019507A97000-memory.dmp

Filesize
28KB

Download
memory/316-61-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/1988-50-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1988-45-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1988-47-0x0000023E390E0000-0x0000023E390E7000-memory.dmp

Filesize
28KB

Download
memory/2316-77-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2316-81-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2332-0-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2332-38-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2332-2-0x000002AE16180000-0x000002AE16187000-memory.dmp

Filesize
28KB

Download
memory/3460-26-0x00007FF9A42B0000-0x00007FF9A42C0000-memory.dmp

Filesize
64KB

Download
memory/3460-35-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-23-0x0000000000630000-0x0000000000637000-memory.dmp

Filesize
28KB

Download
memory/3460-3-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3460-5-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-7-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-8-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-9-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-11-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-24-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-25-0x00007FF9A42C0000-0x00007FF9A42D0000-memory.dmp

Filesize
64KB

Download
memory/3460-12-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-13-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-14-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-6-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-10-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-22-0x00007FF9A2EAA000-0x00007FF9A2EAB000-memory.dmp

Filesize
4KB

Download