dridex | 9dae682deb306e5c72d8beedc9eedf323b3521386e4aa10bb9b9d3f3094666fd

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dae682deb306e5c72d8beedc9eedf323b3521386e4aa10bb9b9d3f3094666fd.dll
Size

672KB
MD5

08fc9ca5c852d1e0868b059d591464a9
SHA1

9735f7c6a437b5d19a9650aedb20210bae91fccf
SHA256

9dae682deb306e5c72d8beedc9eedf323b3521386e4aa10bb9b9d3f3094666fd
SHA512

e353c859df21732c32a6a206ab1be26525df105da216c83c0d4679bb8a3e3f2190654df037232497a04d02699897850c136f47e5428897d9151c49e1ccd7f717
SSDEEP

6144:Y34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:YIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3560-3-0x0000000001430000-0x0000000001431000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2964-1-0x00007FFEC0550000-0x00007FFEC05F8000-memory.dmp	dridex_payload
behavioral2/memory/3560-16-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3560-24-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3560-35-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/2964-38-0x00007FFEC0550000-0x00007FFEC05F8000-memory.dmp	dridex_payload
behavioral2/memory/1140-46-0x00007FFEB1410000-0x00007FFEB14B9000-memory.dmp	dridex_payload
behavioral2/memory/1140-50-0x00007FFEB1410000-0x00007FFEB14B9000-memory.dmp	dridex_payload
behavioral2/memory/3760-62-0x00007FFEB1300000-0x00007FFEB13AA000-memory.dmp	dridex_payload
behavioral2/memory/3760-66-0x00007FFEB1300000-0x00007FFEB13AA000-memory.dmp	dridex_payload
behavioral2/memory/3264-77-0x00007FFEB1300000-0x00007FFEB13A9000-memory.dmp	dridex_payload
behavioral2/memory/3264-81-0x00007FFEB1300000-0x00007FFEB13A9000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1140	BitLockerWizardElev.exe
3760	RdpSa.exe
3264	BdeUISrv.exe

Loads dropped DLL 3 IoCs

pid	Process
1140	BitLockerWizardElev.exe
3760	RdpSa.exe
3264	BdeUISrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\V0\\RdpSa.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3560	Process not Found
3560	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 1756	3560	Process not Found	97
PID 3560 wrote to memory of 1756	3560	Process not Found	97
PID 3560 wrote to memory of 1140	3560	Process not Found	98
PID 3560 wrote to memory of 1140	3560	Process not Found	98
PID 3560 wrote to memory of 3736	3560	Process not Found	99
PID 3560 wrote to memory of 3736	3560	Process not Found	99
PID 3560 wrote to memory of 3760	3560	Process not Found	100
PID 3560 wrote to memory of 3760	3560	Process not Found	100
PID 3560 wrote to memory of 2060	3560	Process not Found	101
PID 3560 wrote to memory of 2060	3560	Process not Found	101
PID 3560 wrote to memory of 3264	3560	Process not Found	102
PID 3560 wrote to memory of 3264	3560	Process not Found	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9dae682deb306e5c72d8beedc9eedf323b3521386e4aa10bb9b9d3f3094666fd.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2964

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:1756

C:\Users\Admin\AppData\Local\LdsE\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\LdsE\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1140

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:3736

C:\Users\Admin\AppData\Local\PyLu\RdpSa.exe
C:\Users\Admin\AppData\Local\PyLu\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3760

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2060

C:\Users\Admin\AppData\Local\4TCzQzznQ\BdeUISrv.exe
C:\Users\Admin\AppData\Local\4TCzQzznQ\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4TCzQzznQ\BdeUISrv.exe

Filesize
54KB

MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\4TCzQzznQ\WTSAPI32.dll

Filesize
676KB

MD5
6076a0059e225d28a1fdf08f9ab5afa9

SHA1
f5aecbd08301ef61fabef398d7942fba940219d4

SHA256
843cd4fc20e749c56fcfd76f5db71893b565de6e516bf104d2281a2acbd1af25

SHA512
3d2ec45dd303925b440927b0f442cfb1e286dea193bf0e1225cbe8bba7edb1bc6cc9f7c92085be11e663369ed53cede5e9c61c788add6785e1884b4e84eaca68

Download Submit
C:\Users\Admin\AppData\Local\LdsE\BitLockerWizardElev.exe

Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\LdsE\FVEWIZ.dll

Filesize
676KB

MD5
bd9e41e0eadf443b7824d5379faee6e7

SHA1
14deeb327cb0e9f0008e9929fd56cd0e6cb1aa21

SHA256
89118eb629e6b5e50dc4034638858c67d9af8240ea2d8f920de26f0d50afed11

SHA512
66e59b4c6556772671375340155c4f8632e9f2b16e5e1d944e53e19cc5c74c0abb7dcab12762b49c9e9f1072081a15105d30d2af9441230ac1c6c77195ad2692

Download Submit
C:\Users\Admin\AppData\Local\PyLu\RdpSa.exe

Filesize
56KB

MD5
5992f5b5d0b296b83877da15b54dd1b4

SHA1
0d87be8d4b7aeada4b55d1d05c0539df892f8f82

SHA256
32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

SHA512
4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

Download Submit
C:\Users\Admin\AppData\Local\PyLu\WINSTA.dll

Filesize
680KB

MD5
6c7232056d0a6dd72043f4fa6ea434ed

SHA1
d116e2907f2664ffb2ce44528978c51982ccd075

SHA256
9aef30902f615e0c9c7f9aad1569d8447540a569505daaf7b7efca1639eea145

SHA512
144794b05f0a2295e5ab437020302041fb87647af7af6794965f881f77471720cae93d116c07a4938a1be30bc5d4b2ae7cde518ce12f9b7de12c27a3cb572a46

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
1bdac1d6060f62052e7e8a5088e5d889

SHA1
9d8f98286ae0b7b5c8b7a7d6320b6208327e41e9

SHA256
6d907ab00fc8494610566851f697eea05ea5ffdfd63e922234aba02b03246192

SHA512
b777f21ce12ad6448538b3d8fda4a8399324ea4d35207d5ff61288ad1c0645800baa35a2a8657138c75d90106178279dd71627a28f6981f062c8371c52cfcd53

Download Submit
memory/1140-50-0x00007FFEB1410000-0x00007FFEB14B9000-memory.dmp

Filesize
676KB

Download
memory/1140-45-0x00000236CFFC0000-0x00000236CFFC7000-memory.dmp

Filesize
28KB

Download
memory/1140-46-0x00007FFEB1410000-0x00007FFEB14B9000-memory.dmp

Filesize
676KB

Download
memory/2964-0-0x0000028948390000-0x0000028948397000-memory.dmp

Filesize
28KB

Download
memory/2964-38-0x00007FFEC0550000-0x00007FFEC05F8000-memory.dmp

Filesize
672KB

Download
memory/2964-1-0x00007FFEC0550000-0x00007FFEC05F8000-memory.dmp

Filesize
672KB

Download
memory/3264-77-0x00007FFEB1300000-0x00007FFEB13A9000-memory.dmp

Filesize
676KB

Download
memory/3264-81-0x00007FFEB1300000-0x00007FFEB13A9000-memory.dmp

Filesize
676KB

Download
memory/3560-25-0x00007FFECEBC0000-0x00007FFECEBD0000-memory.dmp

Filesize
64KB

Download
memory/3560-26-0x00007FFECEBB0000-0x00007FFECEBC0000-memory.dmp

Filesize
64KB

Download
memory/3560-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-35-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-24-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-5-0x00007FFECDD2A000-0x00007FFECDD2B000-memory.dmp

Filesize
4KB

Download
memory/3560-3-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3560-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3560-23-0x0000000001400000-0x0000000001407000-memory.dmp

Filesize
28KB

Download
memory/3560-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3760-66-0x00007FFEB1300000-0x00007FFEB13AA000-memory.dmp

Filesize
680KB

Download
memory/3760-62-0x00007FFEB1300000-0x00007FFEB13AA000-memory.dmp

Filesize
680KB

Download
memory/3760-61-0x0000023FB2D10000-0x0000023FB2D17000-memory.dmp

Filesize
28KB

Download