dridex | c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9.dll
Size

696KB
MD5

631038be4bd53f745415c744e811f016
SHA1

bf6039ad50e15305c2983d6ee8ff6cf1cfeb8fec
SHA256

c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9
SHA512

5abcc343583f350ebff83996ffaea1faca0491f5a85e2a1b739263100899bb88ef5969dc180c4d7d91c248f0f20a45b7b9b6187462ea98d70284cb4dd6a88385
SSDEEP

12288:eqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:eqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3452-4-0x0000000002B30000-0x0000000002B31000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4552-1-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3452-34-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3452-23-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/4552-37-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/1464-44-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/1464-49-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/4824-61-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/4824-65-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3960-80-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1464	dialer.exe
4824	isoburn.exe
3960	AgentService.exe

Loads dropped DLL 3 IoCs

pid	Process
1464	dialer.exe
4824	isoburn.exe
3960	AgentService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\Vpa\\isoburn.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4552	rundll32.exe
4552	rundll32.exe
4552	rundll32.exe
4552	rundll32.exe
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3452	Process not Found
3452	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 5012	3452	Process not Found	94
PID 3452 wrote to memory of 5012	3452	Process not Found	94
PID 3452 wrote to memory of 1464	3452	Process not Found	95
PID 3452 wrote to memory of 1464	3452	Process not Found	95
PID 3452 wrote to memory of 3488	3452	Process not Found	96
PID 3452 wrote to memory of 3488	3452	Process not Found	96
PID 3452 wrote to memory of 4824	3452	Process not Found	97
PID 3452 wrote to memory of 4824	3452	Process not Found	97
PID 3452 wrote to memory of 2020	3452	Process not Found	98
PID 3452 wrote to memory of 2020	3452	Process not Found	98
PID 3452 wrote to memory of 3960	3452	Process not Found	99
PID 3452 wrote to memory of 3960	3452	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:5012

C:\Users\Admin\AppData\Local\Zc1TP0TH\dialer.exe
C:\Users\Admin\AppData\Local\Zc1TP0TH\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1464

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:3488

C:\Users\Admin\AppData\Local\V0Zz6YU\isoburn.exe
C:\Users\Admin\AppData\Local\V0Zz6YU\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:2020

C:\Users\Admin\AppData\Local\G62J\AgentService.exe
C:\Users\Admin\AppData\Local\G62J\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\G62J\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Local\G62J\VERSION.dll

Filesize
700KB

MD5
07426700d625063140e6072721592651

SHA1
42d59043536b5c075c357e12a00fe8bd72769ee3

SHA256
2381605c2f6c54a0a72fb7d8b882386c242eebdc0d9810a05d1832201a207a5a

SHA512
b4a61b77afbdf887e6566560dc31b395888e2ec8d11405a907135bd6f819dfb8ffad064cd1af0966d9863749a4379f7a6abbfdcea4ba21235a47e7cab8d4fa9f

Download Submit
C:\Users\Admin\AppData\Local\V0Zz6YU\UxTheme.dll

Filesize
700KB

MD5
3e10cfaeeaabed8e245df6c51031ec43

SHA1
aa66cc51d51a401632f3ead4c0248f3078ac5b8f

SHA256
568f34092dec33eb5fcf5364950d26cc0f19c0556d51779b1cbedd5762767d74

SHA512
f6db8e0ae6da656fd3cecb5de75c825783550a54601c2e12c17153967a887ae8d0ef8ec52fe3d3cbd66a93d19d0aa8b31ca4fdb6886f0964592637e89e0649c0

Download Submit
C:\Users\Admin\AppData\Local\V0Zz6YU\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Local\Zc1TP0TH\TAPI32.dll

Filesize
704KB

MD5
5acfaa65fd39c4b1928eeaa8bd7a54ef

SHA1
08721766d7cc70ae6b95bd01299e54f218bb7746

SHA256
b8c98bf850d49bc7e2775802097058474b2aca757267c1bbd000270c70554a9c

SHA512
5bc761ae2d564b6a049d58f29023162f2e9e7654d5d13c5d62e35916c8c59edc869bbe390f87b2f3065cb7afeb2d4a608c411f260f77ad1d04b46d4893d5a695

Download Submit
C:\Users\Admin\AppData\Local\Zc1TP0TH\dialer.exe

Filesize
39KB

MD5
b2626bdcf079c6516fc016ac5646df93

SHA1
838268205bd97d62a31094d53643c356ea7848a6

SHA256
e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

SHA512
615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
238f4956cd51210dd354daf990896eeb

SHA1
825adfad6bd2bf94c3039409569369ce86761c6f

SHA256
57f73b7936ad4c8e19a368e2474262db3dc0dcea675afd3f6828dd1b1b17bc5a

SHA512
24f6624d1399c090e01836329cfdc89c62bbab4ab88aea2ed9d7d146cbbb7a26492be1ce303212c5c677605ced3146f2143535dc8018874aef7b251aa0b91e84

Download Submit
memory/1464-49-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1464-44-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1464-46-0x000002A99D970000-0x000002A99D977000-memory.dmp

Filesize
28KB

Download
memory/3452-12-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-24-0x00007FFA9A2A0000-0x00007FFA9A2B0000-memory.dmp

Filesize
64KB

Download
memory/3452-23-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-11-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-10-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-8-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-4-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/3452-3-0x00007FFA9A20A000-0x00007FFA9A20B000-memory.dmp

Filesize
4KB

Download
memory/3452-25-0x00007FFA9A290000-0x00007FFA9A2A0000-memory.dmp

Filesize
64KB

Download
memory/3452-34-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-14-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-22-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/3452-13-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3452-9-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3960-80-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/4552-0-0x00000246C3E20000-0x00000246C3E27000-memory.dmp

Filesize
28KB

Download
memory/4552-37-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/4552-1-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/4824-65-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/4824-61-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/4824-60-0x000002DE27A20000-0x000002DE27A27000-memory.dmp

Filesize
28KB

Download