dridex | 96245ac3afbbd284ab0a250ef29178ad97dbaa475fe1f7231636c29bdbd1a6c9

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96245ac3afbbd284ab0a250ef29178ad97dbaa475fe1f7231636c29bdbd1a6c9.dll
Size

672KB
MD5

f4ad23ec7d76d48355a204d4cca86bb9
SHA1

21cc90073ea6b2e99f535272e4ec2127c6dfd4c3
SHA256

96245ac3afbbd284ab0a250ef29178ad97dbaa475fe1f7231636c29bdbd1a6c9
SHA512

bdf9ff9cea9d581d4f81524e720985ff82f52ed10267410c43cbeeae018afb2b5b0708d7666393df02284e08736060e124beba414de4a5648a91f6c952f3ab7a
SSDEEP

6144:U34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:UIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3540-3-0x0000000000CA0000-0x0000000000CA1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1004-0-0x00007FF80E620000-0x00007FF80E6C8000-memory.dmp	dridex_payload
behavioral2/memory/3540-16-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3540-35-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3540-24-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/1004-38-0x00007FF80E620000-0x00007FF80E6C8000-memory.dmp	dridex_payload
behavioral2/memory/2092-45-0x00007FFFFF1A0000-0x00007FFFFF28E000-memory.dmp	dridex_payload
behavioral2/memory/2092-50-0x00007FFFFF1A0000-0x00007FFFFF28E000-memory.dmp	dridex_payload
behavioral2/memory/3984-61-0x00007FFFFF1E0000-0x00007FFFFF289000-memory.dmp	dridex_payload
behavioral2/memory/3984-66-0x00007FFFFF1E0000-0x00007FFFFF289000-memory.dmp	dridex_payload
behavioral2/memory/1428-79-0x00007FFFFF1A0000-0x00007FFFFF28E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2092	SystemSettingsAdminFlows.exe
3984	rdpclip.exe
1428	SystemSettingsRemoveDevice.exe

Loads dropped DLL 3 IoCs

pid	Process
2092	SystemSettingsAdminFlows.exe
3984	rdpclip.exe
1428	SystemSettingsRemoveDevice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\T3rrEh\\rdpclip.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3540	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 1520	3540	Process not Found	97
PID 3540 wrote to memory of 1520	3540	Process not Found	97
PID 3540 wrote to memory of 2092	3540	Process not Found	98
PID 3540 wrote to memory of 2092	3540	Process not Found	98
PID 3540 wrote to memory of 4208	3540	Process not Found	99
PID 3540 wrote to memory of 4208	3540	Process not Found	99
PID 3540 wrote to memory of 3984	3540	Process not Found	100
PID 3540 wrote to memory of 3984	3540	Process not Found	100
PID 3540 wrote to memory of 2708	3540	Process not Found	101
PID 3540 wrote to memory of 2708	3540	Process not Found	101
PID 3540 wrote to memory of 1428	3540	Process not Found	102
PID 3540 wrote to memory of 1428	3540	Process not Found	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96245ac3afbbd284ab0a250ef29178ad97dbaa475fe1f7231636c29bdbd1a6c9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1004

C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\0BKvyuG0\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\0BKvyuG0\SystemSettingsAdminFlows.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2092

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:4208

C:\Users\Admin\AppData\Local\O32Z1k01\rdpclip.exe
C:\Users\Admin\AppData\Local\O32Z1k01\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3984

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:2708

C:\Users\Admin\AppData\Local\6bIx4WVu\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\6bIx4WVu\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0BKvyuG0\DUI70.dll

Filesize
952KB

MD5
2f96a864f74746a7a520978eac51354e

SHA1
44f75f77b85fec8816534588a3dffd0145d9ab2b

SHA256
af77151a592c80be598cf3b735b3ed042676b1b9a7060d34c4fb67ca192e4bf8

SHA512
9425f2c9d4dd3d96fac3daf9998536facab5cc49126437a4b77a0f5b6552cb1e7c13340291ef3005c86fc9955c0db25b74c9ccf21c1be1d00fdf1928cbe8ce85

Download Submit
C:\Users\Admin\AppData\Local\0BKvyuG0\SystemSettingsAdminFlows.exe

Filesize
506KB

MD5
50adb2c7c145c729b9de8b7cf967dd24

SHA1
a31757f08da6f95156777c1132b6d5f1db3d8f30

SHA256
a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

SHA512
715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

Download Submit
C:\Users\Admin\AppData\Local\6bIx4WVu\DUI70.dll

Filesize
952KB

MD5
cccb30a0c9d49a4fa36d387ef0c27615

SHA1
1e57b46aa373b8c1410b598dce1068ea7e636cb5

SHA256
c1c2e05640a8fd02a11be8a77ca913b11e0354272bf097fcc4d87fcdb519549e

SHA512
d970d5d13ddec1cd278d2896cc8a809adf5c696fa548ce5edef1b913153b0731d304cf18f1d0f76009b45ad7dee474c94b3593239864b0171cdbfec38055af8a

Download Submit
C:\Users\Admin\AppData\Local\6bIx4WVu\SystemSettingsRemoveDevice.exe

Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\O32Z1k01\dwmapi.dll

Filesize
676KB

MD5
69dd31fef4839e00ee53cb61581646e4

SHA1
0480edf1354bc82e0812d8a58844d9975880ffe4

SHA256
3bd5f1f77780ca947fe552f9c0d8f073f61a27852ee396d39fee9d7a33d5cfb8

SHA512
52f2bc93c604cfa5c35185255acd05f3878379bf82c9b80e92522b54c535c27a201731c6b966fa95800025769e315217d4892a7839385eeba3206327a205702a

Download Submit
C:\Users\Admin\AppData\Local\O32Z1k01\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
e64cf364b80b5574790c5e44c70ab6f4

SHA1
468dfae9bbd9bc1c478d639dcbf631fe6a4b5073

SHA256
aacbda0da079589405624c87818f66e3e1d4f2081f6b6677bf5ad1f3d97d45e4

SHA512
44368a1454b84411d9f95cfe5ca219c25b007faafa4ae64a7b634d18fe1f9be59d7c5cad68a9f0cf88a26fdc95ee895c806f9eeaac13e2ceec431d8b03ae1c89

Download Submit
memory/1004-2-0x0000013574800000-0x0000013574807000-memory.dmp

Filesize
28KB

Download
memory/1004-38-0x00007FF80E620000-0x00007FF80E6C8000-memory.dmp

Filesize
672KB

Download
memory/1004-0-0x00007FF80E620000-0x00007FF80E6C8000-memory.dmp

Filesize
672KB

Download
memory/1428-79-0x00007FFFFF1A0000-0x00007FFFFF28E000-memory.dmp

Filesize
952KB

Download
memory/2092-45-0x00007FFFFF1A0000-0x00007FFFFF28E000-memory.dmp

Filesize
952KB

Download
memory/2092-47-0x000001D19E910000-0x000001D19E917000-memory.dmp

Filesize
28KB

Download
memory/2092-50-0x00007FFFFF1A0000-0x00007FFFFF28E000-memory.dmp

Filesize
952KB

Download
memory/3540-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-26-0x00007FF81CA30000-0x00007FF81CA40000-memory.dmp

Filesize
64KB

Download
memory/3540-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-24-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-25-0x00007FF81CA40000-0x00007FF81CA50000-memory.dmp

Filesize
64KB

Download
memory/3540-35-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-23-0x0000000000B10000-0x0000000000B17000-memory.dmp

Filesize
28KB

Download
memory/3540-5-0x00007FF81C06A000-0x00007FF81C06B000-memory.dmp

Filesize
4KB

Download
memory/3540-3-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3540-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3984-66-0x00007FFFFF1E0000-0x00007FFFFF289000-memory.dmp

Filesize
676KB

Download
memory/3984-61-0x00007FFFFF1E0000-0x00007FFFFF289000-memory.dmp

Filesize
676KB

Download
memory/3984-63-0x000001FE670C0000-0x000001FE670C7000-memory.dmp

Filesize
28KB

Download