dridex | 43508d520d7e2071ccd08862888e65cb9ae724268835584aec28c355f22f1d92

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43508d520d7e2071ccd08862888e65cb9ae724268835584aec28c355f22f1d92.dll
Size

948KB
MD5

c3da5425420b0f94aa1a58c38ef6d14d
SHA1

891965f46beafca8d84b87e9aa815d8d7b8171fd
SHA256

43508d520d7e2071ccd08862888e65cb9ae724268835584aec28c355f22f1d92
SHA512

1ebc2ca75e6354edd72ef76991569565199267a472756077166deed6fa6b22e46d5df3546910c78b4b80b54e0e98f6eb5142e254feffae2026f46773ac687dee
SSDEEP

6144:D34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:DIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3444-3-0x0000000002BC0000-0x0000000002BC1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/3884-1-0x00007FFF38D40000-0x00007FFF38E2D000-memory.dmp	dridex_payload
behavioral2/memory/3444-17-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/3444-36-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/3444-25-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/3884-39-0x00007FFF38D40000-0x00007FFF38E2D000-memory.dmp	dridex_payload
behavioral2/memory/708-47-0x00007FFF29820000-0x00007FFF2990E000-memory.dmp	dridex_payload
behavioral2/memory/708-52-0x00007FFF29820000-0x00007FFF2990E000-memory.dmp	dridex_payload
behavioral2/memory/2076-63-0x00007FFF28560000-0x00007FFF2864E000-memory.dmp	dridex_payload
behavioral2/memory/2076-67-0x00007FFF28560000-0x00007FFF2864E000-memory.dmp	dridex_payload
behavioral2/memory/2912-79-0x00007FFF29260000-0x00007FFF2934F000-memory.dmp	dridex_payload
behavioral2/memory/2912-81-0x00007FFF29260000-0x00007FFF2934F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
708	GamePanel.exe
2076	osk.exe
2912	mspaint.exe

Loads dropped DLL 4 IoCs

pid	Process
708	GamePanel.exe
708	GamePanel.exe
2076	osk.exe
2912	mspaint.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qhmytabp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\THGM2K~1\\osk.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3884	rundll32.exe
3884	rundll32.exe
3884	rundll32.exe
3884	rundll32.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3444	Process not Found
3444	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2224	3444	Process not Found	98
PID 3444 wrote to memory of 2224	3444	Process not Found	98
PID 3444 wrote to memory of 708	3444	Process not Found	99
PID 3444 wrote to memory of 708	3444	Process not Found	99
PID 3444 wrote to memory of 2916	3444	Process not Found	100
PID 3444 wrote to memory of 2916	3444	Process not Found	100
PID 3444 wrote to memory of 2076	3444	Process not Found	101
PID 3444 wrote to memory of 2076	3444	Process not Found	101
PID 3444 wrote to memory of 4716	3444	Process not Found	102
PID 3444 wrote to memory of 4716	3444	Process not Found	102
PID 3444 wrote to memory of 2912	3444	Process not Found	103
PID 3444 wrote to memory of 2912	3444	Process not Found	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\43508d520d7e2071ccd08862888e65cb9ae724268835584aec28c355f22f1d92.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3884

C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
1⤵
PID:2224

C:\Users\Admin\AppData\Local\rSZ3q\GamePanel.exe
C:\Users\Admin\AppData\Local\rSZ3q\GamePanel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:708

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2916

C:\Users\Admin\AppData\Local\dCpW\osk.exe
C:\Users\Admin\AppData\Local\dCpW\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2076

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:4716

C:\Users\Admin\AppData\Local\FkpG5\mspaint.exe
C:\Users\Admin\AppData\Local\FkpG5\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FkpG5\WINMM.dll

Filesize
956KB

MD5
f4c23f53bc9aa8f3202499cd7d14c46d

SHA1
a590c0c636c0aabc883a303cab47b4caec1a2bcf

SHA256
401dfd1886c2daad1314c7adf0cdab26543320e635af5ebc5dfca480b10ed10b

SHA512
fd7716330730303a0eee3b441a33a6be020b997939bb99ccec106b8d7ac77c887dc4004cce15cc3a20678b2fb92787f5ed9542f497c09b447e47fbe9c2adc61f

Download Submit
C:\Users\Admin\AppData\Local\FkpG5\mspaint.exe

Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\dCpW\WMsgAPI.dll

Filesize
952KB

MD5
0cf57382c69f1bf2e50d0e28b9c57a03

SHA1
53da1c1bc494d4a4fd3a56b3a5e3774ebba8e997

SHA256
7cf2a10df00c9508b5932fb3abbd3f1535f1bf22a5bb3f6da3ded05c835bae6a

SHA512
80e47a1689eaa47febccf12bf746d0ffd5b76f812425d1c770ba45f85d3c658d15cfd41063ec97665d111ed05618114c68fe17537166aa9f2b820f79dd6fda38

Download Submit
C:\Users\Admin\AppData\Local\dCpW\osk.exe

Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Local\rSZ3q\GamePanel.exe

Filesize
1.2MB

MD5
266f6a62c16f6a889218800762b137be

SHA1
31b9bd85a37bf0cbb38a1c30147b83671458fa72

SHA256
71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

SHA512
b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

Download Submit
C:\Users\Admin\AppData\Local\rSZ3q\dxgi.dll

Filesize
952KB

MD5
e6241a6dde5d5649e7a3baa249d87c8a

SHA1
f2189ca3b0cc84abcd07f387617fdebb0f0d2c4c

SHA256
56442be66363c6e50aad5a9b706ea3367b5cba4603697538895725c22244db44

SHA512
c4a00edb531b0de9499a71a288b45fe0c3720445acfe892d72e06ccd07104d3c4cf524040dfa5b442d320d27147beab81cb3c58282cb5b80f0e6dc392be62e1a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk

Filesize
1KB

MD5
4af66c9a396b87f9fe93960d152acbeb

SHA1
7722cb2cbb50f1a2dcb21f9f63b893a8dd3ad9ae

SHA256
e41a4d8fbc9432c5a9582854d841e269a56137a941c251cb94c223370761a2eb

SHA512
ca788c9dd72ddafc43eb79fd3b1a629a0752689af3fa155fbf4084da7cf7c7a202048b801f2c6d6bc6ae874e34b161842d3b3f3a371cee25ec5ddf865a986264

Download Submit
memory/708-52-0x00007FFF29820000-0x00007FFF2990E000-memory.dmp

Filesize
952KB

Download
memory/708-49-0x000001CECB8F0000-0x000001CECB8F7000-memory.dmp

Filesize
28KB

Download
memory/708-47-0x00007FFF29820000-0x00007FFF2990E000-memory.dmp

Filesize
952KB

Download
memory/2076-67-0x00007FFF28560000-0x00007FFF2864E000-memory.dmp

Filesize
952KB

Download
memory/2076-63-0x00007FFF28560000-0x00007FFF2864E000-memory.dmp

Filesize
952KB

Download
memory/2912-79-0x00007FFF29260000-0x00007FFF2934F000-memory.dmp

Filesize
956KB

Download
memory/2912-81-0x00007FFF29260000-0x00007FFF2934F000-memory.dmp

Filesize
956KB

Download
memory/3444-36-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-26-0x00007FFF47620000-0x00007FFF47630000-memory.dmp

Filesize
64KB

Download
memory/3444-8-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-7-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-6-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-10-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-9-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-5-0x00007FFF45CAA000-0x00007FFF45CAB000-memory.dmp

Filesize
4KB

Download
memory/3444-13-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-14-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-25-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-12-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-27-0x00007FFF47610000-0x00007FFF47620000-memory.dmp

Filesize
64KB

Download
memory/3444-3-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/3444-16-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-17-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-24-0x0000000000CB0000-0x0000000000CB7000-memory.dmp

Filesize
28KB

Download
memory/3444-15-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3444-11-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3884-0-0x00000207A92E0000-0x00000207A92E7000-memory.dmp

Filesize
28KB

Download
memory/3884-39-0x00007FFF38D40000-0x00007FFF38E2D000-memory.dmp

Filesize
948KB

Download
memory/3884-1-0x00007FFF38D40000-0x00007FFF38E2D000-memory.dmp

Filesize
948KB

Download