dridex | 5a9312f37fc4f6e40e1cf12c15df2a7d84199ac4d594831db9f6ca1c4a6cbfab

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 05:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a9312f37fc4f6e40e1cf12c15df2a7d84199ac4d594831db9f6ca1c4a6cbfab.dll
Size

668KB
MD5

f640bf21877302ba5a105a1cc52c4aef
SHA1

7f84c86e274bed6a64be7123cb15f4e1fc477ff6
SHA256

5a9312f37fc4f6e40e1cf12c15df2a7d84199ac4d594831db9f6ca1c4a6cbfab
SHA512

d0f670cd9a926c674bfb926b6d080ecc8e0b3d6f2350567cb0d8ff56a15c53b461064026f5b9604afbab6035b4aed7786c66d3ef529fa789708910c1d6acc3fd
SSDEEP

6144:f34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT9:fIKp/UWCZdCDh2IZDwAFRpR6Auz1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3500-3-0x0000000002380000-0x0000000002381000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/5024-0-0x00007FFFE1B40000-0x00007FFFE1BE7000-memory.dmp	dridex_payload
behavioral2/memory/3500-35-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/3500-24-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/3500-16-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/5024-38-0x00007FFFE1B40000-0x00007FFFE1BE7000-memory.dmp	dridex_payload
behavioral2/memory/3700-45-0x00007FFFD2A10000-0x00007FFFD2AB8000-memory.dmp	dridex_payload
behavioral2/memory/3700-50-0x00007FFFD2A10000-0x00007FFFD2AB8000-memory.dmp	dridex_payload
behavioral2/memory/1584-61-0x00007FFFD28C0000-0x00007FFFD29AD000-memory.dmp	dridex_payload
behavioral2/memory/1584-66-0x00007FFFD28C0000-0x00007FFFD29AD000-memory.dmp	dridex_payload
behavioral2/memory/648-81-0x00007FFFD2A10000-0x00007FFFD2AB8000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3700	sigverif.exe
1584	WindowsActionDialog.exe
648	msconfig.exe

Loads dropped DLL 3 IoCs

pid	Process
3700	sigverif.exe
1584	WindowsActionDialog.exe
648	msconfig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\7tvFyzY6\\WINDOW~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3500	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 8	3500	Process not Found	94
PID 3500 wrote to memory of 8	3500	Process not Found	94
PID 3500 wrote to memory of 3700	3500	Process not Found	95
PID 3500 wrote to memory of 3700	3500	Process not Found	95
PID 3500 wrote to memory of 756	3500	Process not Found	96
PID 3500 wrote to memory of 756	3500	Process not Found	96
PID 3500 wrote to memory of 1584	3500	Process not Found	97
PID 3500 wrote to memory of 1584	3500	Process not Found	97
PID 3500 wrote to memory of 3184	3500	Process not Found	98
PID 3500 wrote to memory of 3184	3500	Process not Found	98
PID 3500 wrote to memory of 648	3500	Process not Found	99
PID 3500 wrote to memory of 648	3500	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a9312f37fc4f6e40e1cf12c15df2a7d84199ac4d594831db9f6ca1c4a6cbfab.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:8

C:\Users\Admin\AppData\Local\gDAQ6\sigverif.exe
C:\Users\Admin\AppData\Local\gDAQ6\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3700

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:756

C:\Users\Admin\AppData\Local\U5I\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\U5I\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:3184

C:\Users\Admin\AppData\Local\PMcndVV\msconfig.exe
C:\Users\Admin\AppData\Local\PMcndVV\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PMcndVV\VERSION.dll

Filesize
672KB

MD5
5c8cee3633c52170ed02e8f5404aec20

SHA1
0b676d48b0ad7246738617acf280a6aa8756e4b0

SHA256
7b3d8f0f33ddde6f7b3da2f620939342356f9f98b8468923123ab6ef4dc23e53

SHA512
6f42710a14c871aecd14ffa7a50d08e94dfdfb1a18c89596491ff6162862d74a15cd940fca91ca88c7023bb7619381396d40a111a6deb40b80a76e86e9636851

Download Submit
C:\Users\Admin\AppData\Local\PMcndVV\msconfig.exe

Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Local\U5I\DUI70.dll

Filesize
948KB

MD5
ae3e46694ac329f8d79a06589b60ed6e

SHA1
b5e5db8641afd0e5eb9dd73f4a51e690cadc34f5

SHA256
90e05a25845ee1132686f8c2c9cf6a4d9a9596be705c39d4cec2cc38e92b52b5

SHA512
c3456a616bcf491a6512877edd08ca4f640f21272a58d2b7c1ad2b5963d3419db5e953a55d41e76ed8a1cf613b09cae17d8979198ecb6667ce11fbadc30466ac

Download Submit
C:\Users\Admin\AppData\Local\U5I\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\gDAQ6\VERSION.dll

Filesize
672KB

MD5
dc0ad163b13e0f5be1b83107ca07b4b4

SHA1
e23fa8799f2f5ffdc0076e4f8f269423bc1c2246

SHA256
740ec0a84b2b69041405e211c1af2b53c4acb580d0f03d9b03d5d63a0b803ac8

SHA512
87883b46f79f666079eb2204564cc066116e0930922ce9f086feb6532e5e3fb62b3777001aeb83e255b82d4d66d9987ecf04afc5b6b0980c61185baaca34f176

Download Submit
C:\Users\Admin\AppData\Local\gDAQ6\sigverif.exe

Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
8e3ae67d051c8a6c7a25fe4a13d47302

SHA1
39061781c41ee999a57031b1a751c2c103351acf

SHA256
57c6d2f65b9e96c0129ea10a605a4ff93a412aabdd4dce6ec090f6cbe85f1d10

SHA512
26780913b414936b0423f8de9ee7fd8d19ee5dc14ac88f755881afe101c218c0233f49fbdb9d6e6e781873bc00de5addb335b15f84962deda7777873772c3782

Download Submit
memory/648-81-0x00007FFFD2A10000-0x00007FFFD2AB8000-memory.dmp

Filesize
672KB

Download
memory/1584-66-0x00007FFFD28C0000-0x00007FFFD29AD000-memory.dmp

Filesize
948KB

Download
memory/1584-61-0x00007FFFD28C0000-0x00007FFFD29AD000-memory.dmp

Filesize
948KB

Download
memory/1584-63-0x0000023D88840000-0x0000023D88847000-memory.dmp

Filesize
28KB

Download
memory/3500-8-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-14-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-10-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-16-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-9-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-3-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3500-7-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-6-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-4-0x00007FFFEF0EA000-0x00007FFFEF0EB000-memory.dmp

Filesize
4KB

Download
memory/3500-23-0x00000000021F0000-0x00000000021F7000-memory.dmp

Filesize
28KB

Download
memory/3500-12-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-11-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-15-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-26-0x00007FFFF01D0000-0x00007FFFF01E0000-memory.dmp

Filesize
64KB

Download
memory/3500-35-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-13-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-24-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3500-25-0x00007FFFF01E0000-0x00007FFFF01F0000-memory.dmp

Filesize
64KB

Download
memory/3700-50-0x00007FFFD2A10000-0x00007FFFD2AB8000-memory.dmp

Filesize
672KB

Download
memory/3700-45-0x00007FFFD2A10000-0x00007FFFD2AB8000-memory.dmp

Filesize
672KB

Download
memory/3700-47-0x0000019BD63F0000-0x0000019BD63F7000-memory.dmp

Filesize
28KB

Download
memory/5024-38-0x00007FFFE1B40000-0x00007FFFE1BE7000-memory.dmp

Filesize
668KB

Download
memory/5024-0-0x00007FFFE1B40000-0x00007FFFE1BE7000-memory.dmp

Filesize
668KB

Download
memory/5024-2-0x000001708C510000-0x000001708C517000-memory.dmp

Filesize
28KB

Download