dridex | e0bb41f16dbcd4feeadcb96519eee1d82877b76b83776bd7776a648021644fce

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0bb41f16dbcd4feeadcb96519eee1d82877b76b83776bd7776a648021644fce.dll
Size

700KB
MD5

45424a5476cd3741110250714626b4e4
SHA1

6cd678d66094c596200c3e6cbdbac1147077961a
SHA256

e0bb41f16dbcd4feeadcb96519eee1d82877b76b83776bd7776a648021644fce
SHA512

cf6152d4a2094a951d16f9583ad2080027264b21556bd38b4d381c88e17575e8d6e44417ac710cdab801913240753b6fd6064724220772ae928a79bac3937789
SSDEEP

12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3416-4-0x0000000002480000-0x0000000002481000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/224-1-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3416-24-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3416-35-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/224-38-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/2380-47-0x0000000140000000-0x00000001400B6000-memory.dmp	dridex_payload
behavioral2/memory/2380-50-0x0000000140000000-0x00000001400B6000-memory.dmp	dridex_payload
behavioral2/memory/2288-57-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/2288-62-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/3168-77-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/5036-92-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload

Executes dropped EXE 4 IoCs

Processes:

mmc.exeomadmclient.exeiexpress.exeBitLockerWizard.exe

pid process

2380 mmc.exe
2288 omadmclient.exe
3168 iexpress.exe
5036 BitLockerWizard.exe
Loads dropped DLL 5 IoCs

Processes:

mmc.exeomadmclient.exeiexpress.exeBitLockerWizard.exe

pid process

2380 mmc.exe
2380 mmc.exe
2288 omadmclient.exe
3168 iexpress.exe
5036 BitLockerWizard.exe

pid	process
2380	mmc.exe
2288	omadmclient.exe
3168	iexpress.exe
5036	BitLockerWizard.exe

pid	process
2380	mmc.exe
2380	mmc.exe
2288	omadmclient.exe
3168	iexpress.exe
5036	BitLockerWizard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\WORDDO~2\\uzwr2\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

iexpress.exeBitLockerWizard.exerundll32.exemmc.exeomadmclient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416
Token: SeShutdownPrivilege	3416
Token: SeCreatePagefilePrivilege	3416

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3416
3416
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3416

pid	process
3416
3416

pid	process
3416

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3416 wrote to memory of 2092	3416	mmc.exe
PID 3416 wrote to memory of 2092	3416	mmc.exe
PID 3416 wrote to memory of 2380	3416	mmc.exe
PID 3416 wrote to memory of 2380	3416	mmc.exe
PID 3416 wrote to memory of 3624	3416	omadmclient.exe
PID 3416 wrote to memory of 3624	3416	omadmclient.exe
PID 3416 wrote to memory of 2288	3416	omadmclient.exe
PID 3416 wrote to memory of 2288	3416	omadmclient.exe
PID 3416 wrote to memory of 2184	3416	iexpress.exe
PID 3416 wrote to memory of 2184	3416	iexpress.exe
PID 3416 wrote to memory of 3168	3416	iexpress.exe
PID 3416 wrote to memory of 3168	3416	iexpress.exe
PID 3416 wrote to memory of 4492	3416	BitLockerWizard.exe
PID 3416 wrote to memory of 4492	3416	BitLockerWizard.exe
PID 3416 wrote to memory of 5036	3416	BitLockerWizard.exe
PID 3416 wrote to memory of 5036	3416	BitLockerWizard.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0bb41f16dbcd4feeadcb96519eee1d82877b76b83776bd7776a648021644fce.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:2092

C:\Users\Admin\AppData\Local\wioH7FAws\mmc.exe
C:\Users\Admin\AppData\Local\wioH7FAws\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2380

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:3624

C:\Users\Admin\AppData\Local\KOz\omadmclient.exe
C:\Users\Admin\AppData\Local\KOz\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2288

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2184

C:\Users\Admin\AppData\Local\eDlrz6BSV\iexpress.exe
C:\Users\Admin\AppData\Local\eDlrz6BSV\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3168

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:4492

C:\Users\Admin\AppData\Local\G2Npu0r\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\G2Npu0r\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\G2Npu0r\BitLockerWizard.exe

Filesize
100KB

MD5
6d30c96f29f64b34bc98e4c81d9b0ee8

SHA1
4a3adc355f02b9c69bdbe391bfb01469dee15cf0

SHA256
7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

SHA512
25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

Download Submit
C:\Users\Admin\AppData\Local\G2Npu0r\FVEWIZ.dll

Filesize
704KB

MD5
b7bbfeb3814fcddfa7374942b97d9d4e

SHA1
cd34b2b456709471399c89216e0b710d993f1c63

SHA256
ecc483d5191ccb9b1c78cc2ab35a95b671303abc2884a2316f0398d8916db94c

SHA512
aa38a6c3a04e0385fbeb2434f697cf4bd196940bd75f919d4e92072377631a510c7422598662b3ef2043fdf72a18e6ed20e6cc68238583c6cc5b7c9664a7d333

Download Submit
C:\Users\Admin\AppData\Local\KOz\XmlLite.dll

Filesize
704KB

MD5
a5f711047b6f4156f2e2c0fd15988787

SHA1
738e5d082cdaa495992b23bbc872e9c624d7891c

SHA256
5cdf00c0e961895e87dfb7fd709b2520a913f2ffeaa21e73fdc1403cb9df25fb

SHA512
1d6917ae418573315143c9c201c609b725e4a11461a61a1aa77310525e6bada4fecd647c276a15bd79fd37b00e7920df0eee9a82543059522c5d8854ab57058c

Download Submit
C:\Users\Admin\AppData\Local\KOz\omadmclient.exe

Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Local\eDlrz6BSV\VERSION.dll

Filesize
704KB

MD5
f7f78768b181e0e6dc03f736b4a70826

SHA1
c7e1171cafb261f2d791b3abb213ccdb7fe8b2b4

SHA256
17f69f94e4250c079be1e3042431498afd921045395c014a9945c6bde22cb70e

SHA512
2dfb31db8c839032bfeb8b59599494cc0a7732581e5d39736cee31d843bdd4f73467133ad11c3fa3e0fb3416cbbd79387761641b8ed235a045a63a2870834205

Download Submit
C:\Users\Admin\AppData\Local\eDlrz6BSV\iexpress.exe

Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Local\wioH7FAws\MFC42u.dll

Filesize
728KB

MD5
d6bd4eb6374dd6a9ca110226cafe148d

SHA1
957a9d2b8f5b39a5543507b384356848b5fb1c33

SHA256
c015df8e8dc36a20c0c37f73f5079218ce7d07fb58165bfc46d5f743b209ec1f

SHA512
3cc20342a5adabbf139623cad3cadb6eee58b551a5140a1ffa0e6f83d374378f1fb4b910cb54978810773135f1de8ab3893b2e7dad608b9de79c9fa309d24f84

Download Submit
C:\Users\Admin\AppData\Local\wioH7FAws\mmc.exe

Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk

Filesize
797B

MD5
08bb7b054b0a8bcf75879d8ac553e0ff

SHA1
35121f9a56133ec8b023e5cd643f2ef39047ca22

SHA256
a1f153f765e225e554d1698b182ab3b8e15dc9ad4473e5832469f5362f02c16f

SHA512
5a8b051b49cd23320adb6d6023c0be9a2e49cf1bd7bf50f497b7ae9e1152e0c21ea49fda369d33dcd9b0ab875498af2b361d2c96d01037099a157b264076a491

Download Submit
memory/224-38-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/224-1-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/224-2-0x00000287660D0000-0x00000287660D7000-memory.dmp

Filesize
28KB

Download
memory/2288-59-0x000001EEE7CB0000-0x000001EEE7CB7000-memory.dmp

Filesize
28KB

Download
memory/2288-57-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2288-62-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2380-50-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2380-47-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2380-49-0x00000000009B0000-0x00000000009B7000-memory.dmp

Filesize
28KB

Download
memory/3168-77-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3416-12-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-11-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-7-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-8-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-9-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-25-0x00007FFE947C0000-0x00007FFE947D0000-memory.dmp

Filesize
64KB

Download
memory/3416-26-0x00007FFE947B0000-0x00007FFE947C0000-memory.dmp

Filesize
64KB

Download
memory/3416-24-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-10-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-35-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-13-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-15-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-23-0x0000000002440000-0x0000000002447000-memory.dmp

Filesize
28KB

Download
memory/3416-14-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-6-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3416-4-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3416-3-0x00007FFE93F9A000-0x00007FFE93F9B000-memory.dmp

Filesize
4KB

Download
memory/5036-92-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download