dridex | 05be219e193d428010ae2d069ecfb03840a7c731b83f1e2724b6fd1582a1c5d9

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05be219e193d428010ae2d069ecfb03840a7c731b83f1e2724b6fd1582a1c5d9.dll
Size

696KB
MD5

f7237ce6f2ea2844db1ffc53b74b57d3
SHA1

6807e9453325515ec348cdad087d182dc3804154
SHA256

05be219e193d428010ae2d069ecfb03840a7c731b83f1e2724b6fd1582a1c5d9
SHA512

2467a1e9bb2d046e13711851fc2d08d1fb903e8fee5bd40bc356c82d3633651f1072a191a582a09ca6bc0af0950322fa398440a99f0376239570de0a503b5efa
SSDEEP

12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3460-4-0x00000000027D0000-0x00000000027D1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/64-0-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3460-34-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3460-23-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/64-37-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/1172-45-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/1172-49-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3260-60-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_payload
behavioral2/memory/3260-65-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_payload
behavioral2/memory/3448-80-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1172	rstrui.exe
3260	msinfo32.exe
3448	sdclt.exe

Loads dropped DLL 3 IoCs

pid	Process
1172	rstrui.exe
3260	msinfo32.exe
3448	sdclt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\1CdQPHkPWT\\msinfo32.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
64	rundll32.exe
64	rundll32.exe
64	rundll32.exe
64	rundll32.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3460	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3040	3460	Process not Found	97
PID 3460 wrote to memory of 3040	3460	Process not Found	97
PID 3460 wrote to memory of 1172	3460	Process not Found	98
PID 3460 wrote to memory of 1172	3460	Process not Found	98
PID 3460 wrote to memory of 1712	3460	Process not Found	99
PID 3460 wrote to memory of 1712	3460	Process not Found	99
PID 3460 wrote to memory of 3260	3460	Process not Found	100
PID 3460 wrote to memory of 3260	3460	Process not Found	100
PID 3460 wrote to memory of 5032	3460	Process not Found	101
PID 3460 wrote to memory of 5032	3460	Process not Found	101
PID 3460 wrote to memory of 3448	3460	Process not Found	102
PID 3460 wrote to memory of 3448	3460	Process not Found	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05be219e193d428010ae2d069ecfb03840a7c731b83f1e2724b6fd1582a1c5d9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:64

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:3040

C:\Users\Admin\AppData\Local\cqb\rstrui.exe
C:\Users\Admin\AppData\Local\cqb\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1172

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:1712

C:\Users\Admin\AppData\Local\7GBWe\msinfo32.exe
C:\Users\Admin\AppData\Local\7GBWe\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3260

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:5032

C:\Users\Admin\AppData\Local\xjRA6F\sdclt.exe
C:\Users\Admin\AppData\Local\xjRA6F\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7GBWe\MFC42u.dll

Filesize
724KB

MD5
496872e2b240a3021498fc151089234a

SHA1
a1b345f773efc7a2f3adcde58beb6ba7a0df79f5

SHA256
f67e57467034c0fe2c2858df4927e7b9893ab8811d55c5622c1b1b6116ee0c53

SHA512
114ccd7a80f2a888e61480b06618463dca1936aa1ba23d81b2635dea021994d1f87bdfccc0aa22c1ca9d43371b2090c5891a9e35ecc37fd7b78057d42b04d109

Download Submit
C:\Users\Admin\AppData\Local\7GBWe\msinfo32.exe

Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\cqb\SRCORE.dll

Filesize
700KB

MD5
5f73b27c5107687d70dab0dfad053c04

SHA1
efc6aa144bb2836870f70d40721c8ec02ef5ea5e

SHA256
10d4b1b02ce6d7c6d9e6bcb5610c40c818a53dbe3a8387c2fe638fdfd81930de

SHA512
d763dfaf73d6d8a25334a2b0c3237a941d82e45f6d6480398206219741206354755c75e55c75385f0ab8e6957192cb760ad6eb9549e92ed7d1dd9152aa77b0fc

Download Submit
C:\Users\Admin\AppData\Local\cqb\rstrui.exe

Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Local\xjRA6F\SPP.dll

Filesize
700KB

MD5
7c3f07969af7210ca7dd252a468421a3

SHA1
3ce62fa3447299dd0f5e5818c282fa5c778b63d2

SHA256
109912540e1effe76d2dbaeb5bd2e0743dbc9294f2f0b521aacaa4148c567cfd

SHA512
9ce64b1d71b8a3d82079b45bae3352a428bf37a8d31e6e37beed99f1bc6ee0a213fba6baaaf84438d96a980b1585facb41eada490e4f2b99d38f037b9013ae77

Download Submit
C:\Users\Admin\AppData\Local\xjRA6F\sdclt.exe

Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk

Filesize
1KB

MD5
9a700df1178df63e2969f3f4bd8cae71

SHA1
1e0f6a337fb66729808b3a45f7c67a582a8bd649

SHA256
b6d3fb8973c83a5832028b4f801945687e05344d13c2c14c0d8473cce4eb80bc

SHA512
07b8dc68d2461c45c9b9a1bf32c94b13024895958aaa7cab2f313ea711853716bec0e9fed44d3442153833a4b649601ceca523e4925bf3474a4249238c1ce129

Download Submit
memory/64-2-0x000002C724240000-0x000002C724247000-memory.dmp

Filesize
28KB

Download
memory/64-37-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/64-0-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1172-49-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1172-45-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1172-44-0x0000023506870000-0x0000023506877000-memory.dmp

Filesize
28KB

Download
memory/3260-60-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3260-61-0x0000013450AF0000-0x0000013450AF7000-memory.dmp

Filesize
28KB

Download
memory/3260-65-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-80-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3460-11-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-13-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-8-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-9-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-10-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-23-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-34-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-25-0x00007FF83CE50000-0x00007FF83CE60000-memory.dmp

Filesize
64KB

Download
memory/3460-24-0x00007FF83CE60000-0x00007FF83CE70000-memory.dmp

Filesize
64KB

Download
memory/3460-22-0x0000000000C00000-0x0000000000C07000-memory.dmp

Filesize
28KB

Download
memory/3460-14-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-12-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3460-3-0x00007FF83BA0A000-0x00007FF83BA0B000-memory.dmp

Filesize
4KB

Download
memory/3460-4-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download