dridex | 87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447.dll
Size

692KB
MD5

65411740b33c7475d67552a92d3c4054
SHA1

d1191e086f3faa2f2168a28eac66d7360c94d5e9
SHA256

87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447
SHA512

3bdb279bba9946af41d4bccc9b2bed4c8f37fc03d0cc53d0845311645ba39d6a30ca0e8d6bbe7bc8a1d94c8cacaeb8f515686b226e59b8ec06f6d6242c85fb03
SSDEEP

12288:cqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:cqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3352-3-0x0000000002990000-0x0000000002991000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2316-1-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/3352-22-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/3352-33-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/2316-36-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/3224-44-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3224-48-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/5060-60-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/5060-64-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/696-79-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

LockScreenContentServer.exewlrmdr.exeOptionalFeatures.exe

pid	Process
3224	LockScreenContentServer.exe
5060	wlrmdr.exe
696	OptionalFeatures.exe

Loads dropped DLL 3 IoCs

Processes:

LockScreenContentServer.exewlrmdr.exeOptionalFeatures.exe

pid	Process
3224	LockScreenContentServer.exe
5060	wlrmdr.exe
696	OptionalFeatures.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzvdnevrdk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\MEgIZT3\\wlrmdr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wlrmdr.exeOptionalFeatures.exerundll32.exeLockScreenContentServer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3352
3352

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3352 wrote to memory of 3848	3352	94
PID 3352 wrote to memory of 3848	3352	94
PID 3352 wrote to memory of 3224	3352	95
PID 3352 wrote to memory of 3224	3352	95
PID 3352 wrote to memory of 4040	3352	96
PID 3352 wrote to memory of 4040	3352	96
PID 3352 wrote to memory of 5060	3352	97
PID 3352 wrote to memory of 5060	3352	97
PID 3352 wrote to memory of 4252	3352	98
PID 3352 wrote to memory of 4252	3352	98
PID 3352 wrote to memory of 696	3352	99
PID 3352 wrote to memory of 696	3352	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:3848

C:\Users\Admin\AppData\Local\6OsJc\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\6OsJc\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3224

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:4040

C:\Users\Admin\AppData\Local\kBCJFjuT\wlrmdr.exe
C:\Users\Admin\AppData\Local\kBCJFjuT\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5060

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:4252

C:\Users\Admin\AppData\Local\4jErG\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\4jErG\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4jErG\OptionalFeatures.exe

Filesize
110KB

MD5
d6cd8bef71458804dbc33b88ace56372

SHA1
a18b58445be2492c5d37abad69b5aa0d29416a60

SHA256
fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

SHA512
1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

Download Submit
C:\Users\Admin\AppData\Local\4jErG\appwiz.cpl

Filesize
696KB

MD5
df21b485a10c385c1639ad8d700e7145

SHA1
3fb4519e16f3eb802958a797d0bbdf0da96cfc7d

SHA256
636bcfaf5cf6b82149d067b53588f78a08aece0f6f37c01a0c1b1e37372c6c22

SHA512
53d4d93292d5e40565713426aa4791cff6777d7a2f27ba96a23c4e0d7eb912cef48c0972eb725276b362a1ab980aa33cee44941e309fd38aebd5e38e5e5c5274

Download Submit
C:\Users\Admin\AppData\Local\6OsJc\LockScreenContentServer.exe

Filesize
47KB

MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Local\6OsJc\dwmapi.dll

Filesize
696KB

MD5
f094cc0d7ecc4cde4c697bb973dcf563

SHA1
e87f6423754e430ffe28f113a275c963993d128e

SHA256
49c951943bef168300888ddf1c6249ae7b44cefd1dde0362d4af8dce143d7473

SHA512
d978f2bdedda14af1911f93bb0f8b98a8ae1b80f98c0f3e38cdf92241b5e89b37f39399c0d11d85d8d2b0385ae2bec2958ee804afccfcd430015ce1bc89a8c76

Download Submit
C:\Users\Admin\AppData\Local\kBCJFjuT\DUI70.dll

Filesize
972KB

MD5
000a83b8365c0523ade905b845df0a76

SHA1
d594d7896c909cb10e5012d69e3dd861c3590a7d

SHA256
6c61e6fd3879f8a58cdfb4f68978025ec29200118e11c7da8dcc39893e4824f4

SHA512
46e96e1df1827ff77cdc53cf6356ff7ed08ef40f1a745251869143492975a29bfea79c605270c9dca0af2f2aedd5f2646f8af2fb7732b9fbaff915fdb21cc711

Download Submit
C:\Users\Admin\AppData\Local\kBCJFjuT\wlrmdr.exe

Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk

Filesize
1KB

MD5
dc0b0bc9cd62908ba636a5785ff849d1

SHA1
edd3dbc6ee7d60f6ba6ad32dcf5819d2ab66d27f

SHA256
7f4b2fa9fc5e1752398dad44c21ef1f6e528f61e24b4da6ae06814a05769276c

SHA512
14d50b2f963053c0ecfd17e2d627a01d363e71ffc69cb0afb5fe23a9dcd25fbc6c3a02b0f72a1ed8b96c87bc357ca54d4eed4652cce3e634089429950c4fe9f0

Download Submit
memory/696-79-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2316-0-0x00000218A8CC0000-0x00000218A8CC7000-memory.dmp

Filesize
28KB

Download
memory/2316-36-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/2316-1-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3224-48-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3224-44-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3224-43-0x000001C9E2770000-0x000001C9E2777000-memory.dmp

Filesize
28KB

Download
memory/3352-11-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-13-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-7-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-9-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-10-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-33-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-23-0x00007FF988260000-0x00007FF988270000-memory.dmp

Filesize
64KB

Download
memory/3352-24-0x00007FF988250000-0x00007FF988260000-memory.dmp

Filesize
64KB

Download
memory/3352-22-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-8-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-21-0x0000000000B00000-0x0000000000B07000-memory.dmp

Filesize
28KB

Download
memory/3352-3-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3352-5-0x00007FF9875DA000-0x00007FF9875DB000-memory.dmp

Filesize
4KB

Download
memory/3352-6-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3352-12-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/5060-64-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/5060-60-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/5060-59-0x0000029077500000-0x0000029077507000-memory.dmp

Filesize
28KB

Download