dridex | 41614fc30de6ea778c6fa12e9ed5cb389679580e3903a40b3373d92b103eb010

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41614fc30de6ea778c6fa12e9ed5cb389679580e3903a40b3373d92b103eb010.dll
Size

948KB
MD5

80f06337c927418ef2dbe6efa147d64a
SHA1

4a016b8fe8c023f840f18d3b40f6e6f44fb9d6f2
SHA256

41614fc30de6ea778c6fa12e9ed5cb389679580e3903a40b3373d92b103eb010
SHA512

0abe2424cdd1f23f60dea1a920aa930805f805a913c6d4916986329874fa1e4c6b5e22dc39123191c903460f21786b6e828447dc1bfbaa65576d11a479db18b5
SSDEEP

6144:P34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:PIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3440-3-0x00000000033C0000-0x00000000033C1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/692-1-0x00007FFE01450000-0x00007FFE0153D000-memory.dmp	dridex_payload
behavioral2/memory/3440-17-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/3440-36-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/3440-25-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/692-39-0x00007FFE01450000-0x00007FFE0153D000-memory.dmp	dridex_payload
behavioral2/memory/3960-46-0x00007FFDF2AD0000-0x00007FFDF2BBE000-memory.dmp	dridex_payload
behavioral2/memory/3960-51-0x00007FFDF2AD0000-0x00007FFDF2BBE000-memory.dmp	dridex_payload
behavioral2/memory/3588-75-0x00007FFDF2AD0000-0x00007FFDF2BBE000-memory.dmp	dridex_payload
behavioral2/memory/1916-86-0x00007FFDF2AD0000-0x00007FFDF2BBF000-memory.dmp	dridex_payload
behavioral2/memory/1916-90-0x00007FFDF2AD0000-0x00007FFDF2BBF000-memory.dmp	dridex_payload

Executes dropped EXE 4 IoCs

pid	Process
3960	iexpress.exe
2904	wermgr.exe
3588	DeviceEnroller.exe
1916	RdpSaUacHelper.exe

Loads dropped DLL 3 IoCs

pid	Process
3960	iexpress.exe
3588	DeviceEnroller.exe
1916	RdpSaUacHelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\DTNmYIy\\DeviceEnroller.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSaUacHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 1376	3440	Process not Found	94
PID 3440 wrote to memory of 1376	3440	Process not Found	94
PID 3440 wrote to memory of 3960	3440	Process not Found	95
PID 3440 wrote to memory of 3960	3440	Process not Found	95
PID 3440 wrote to memory of 2784	3440	Process not Found	96
PID 3440 wrote to memory of 2784	3440	Process not Found	96
PID 3440 wrote to memory of 2904	3440	Process not Found	97
PID 3440 wrote to memory of 2904	3440	Process not Found	97
PID 3440 wrote to memory of 4904	3440	Process not Found	98
PID 3440 wrote to memory of 4904	3440	Process not Found	98
PID 3440 wrote to memory of 3588	3440	Process not Found	99
PID 3440 wrote to memory of 3588	3440	Process not Found	99
PID 3440 wrote to memory of 2864	3440	Process not Found	100
PID 3440 wrote to memory of 2864	3440	Process not Found	100
PID 3440 wrote to memory of 1916	3440	Process not Found	101
PID 3440 wrote to memory of 1916	3440	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41614fc30de6ea778c6fa12e9ed5cb389679580e3903a40b3373d92b103eb010.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:692

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:1376

C:\Users\Admin\AppData\Local\w6BmVUM\iexpress.exe
C:\Users\Admin\AppData\Local\w6BmVUM\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3960

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:2784

C:\Users\Admin\AppData\Local\x30\wermgr.exe
C:\Users\Admin\AppData\Local\x30\wermgr.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:4904

C:\Users\Admin\AppData\Local\JK7\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\JK7\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3588

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:2864

C:\Users\Admin\AppData\Local\k1l\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\k1l\RdpSaUacHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JK7\DeviceEnroller.exe

Filesize
448KB

MD5
946d9474533f58d2613078fd14ca7473

SHA1
c2620ac9522fa3702a6a03299b930d6044aa5e49

SHA256
cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

SHA512
3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

Download Submit
C:\Users\Admin\AppData\Local\JK7\XmlLite.dll

Filesize
952KB

MD5
a43191805bc7dab35897a7cda8f5ec95

SHA1
30a23f3ab99aef5c9cde2dabdc3d6a48214d1e84

SHA256
ee0a8b121efbbc9038995da22dbee15fbbc93a6942813b48f6567de7e960d83e

SHA512
b1777e87aa924f9cae4827d411bfb55d072050c5a16d5d2ea5d7d5b7be8e782fde7f622aee9b598bef47d647be970eecab10707bc60830423bec85c662890d7b

Download Submit
C:\Users\Admin\AppData\Local\k1l\RdpSaUacHelper.exe

Filesize
33KB

MD5
0d5b016ac7e7b6257c069e8bb40845de

SHA1
5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

SHA256
6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

SHA512
cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

Download Submit
C:\Users\Admin\AppData\Local\k1l\WINSTA.dll

Filesize
956KB

MD5
8599c05a4fd2cd06808f6179608f9961

SHA1
97c6ae2e7b7897220afabf197aae550059121137

SHA256
2e022a6b89b6a9756717df90a8d916bb7ac254e565279dddad9e93e5e1df464e

SHA512
d87daf7280e152752b341f4a466bb38f0724bb74a7243340b9bbe0c89b3be99c10ecfc3eb86d7ca9f834f2d07cc25918482a29412cf6deaa2eac1c43c8b24728

Download Submit
C:\Users\Admin\AppData\Local\w6BmVUM\VERSION.dll

Filesize
952KB

MD5
b6cd9d9f06f30171a2c93c8a4de6e143

SHA1
5b7370656d2b8639c2c3c3e21658074002199c98

SHA256
2bb3c56dfb26632dedf8cba4bf26ab829cec5850c027f5c675a704cd6cc58006

SHA512
a506cff4a8d5f6f358003e1250fec45490992566f3f2b4c88a710cb870693f5add6d52b81e62d2c9f65f0ebfd692b5e5d0b6a4b5218536234d5f7344f10d4983

Download Submit
C:\Users\Admin\AppData\Local\w6BmVUM\iexpress.exe

Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Local\x30\wermgr.exe

Filesize
223KB

MD5
f7991343cf02ed92cb59f394e8b89f1f

SHA1
573ad9af63a6a0ab9b209ece518fd582b54cfef5

SHA256
1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

SHA512
fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
05cbb40660e1ec1b5ec4cd111e8fd664

SHA1
f1dc7f52a43de83222ce5c3c3286b47a09e1829b

SHA256
db90695097303daa77160f13e3f1a9d74d958d6b8e08479925f2dbe54dc0c791

SHA512
5bc593a5b534d8a41115015268fd7b7e504d18fd38fcc0de1dba0cb6b31e1ef81226e70ddf04288918f7888219f1e9125adb32130d4e6ce93180482fa494a62b

Download Submit
memory/692-0-0x00000213A4EB0000-0x00000213A4EB7000-memory.dmp

Filesize
28KB

Download
memory/692-39-0x00007FFE01450000-0x00007FFE0153D000-memory.dmp

Filesize
948KB

Download
memory/692-1-0x00007FFE01450000-0x00007FFE0153D000-memory.dmp

Filesize
948KB

Download
memory/1916-86-0x00007FFDF2AD0000-0x00007FFDF2BBF000-memory.dmp

Filesize
956KB

Download
memory/1916-90-0x00007FFDF2AD0000-0x00007FFDF2BBF000-memory.dmp

Filesize
956KB

Download
memory/3440-36-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-15-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-16-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-10-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-9-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-8-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-7-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-6-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-12-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-14-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-25-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-5-0x00007FFE0E4AA000-0x00007FFE0E4AB000-memory.dmp

Filesize
4KB

Download
memory/3440-3-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/3440-13-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-26-0x00007FFE100C0000-0x00007FFE100D0000-memory.dmp

Filesize
64KB

Download
memory/3440-27-0x00007FFE100B0000-0x00007FFE100C0000-memory.dmp

Filesize
64KB

Download
memory/3440-11-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-17-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3440-24-0x0000000001120000-0x0000000001127000-memory.dmp

Filesize
28KB

Download
memory/3588-75-0x00007FFDF2AD0000-0x00007FFDF2BBE000-memory.dmp

Filesize
952KB

Download
memory/3588-70-0x000001E1A15E0000-0x000001E1A15E7000-memory.dmp

Filesize
28KB

Download
memory/3960-51-0x00007FFDF2AD0000-0x00007FFDF2BBE000-memory.dmp

Filesize
952KB

Download
memory/3960-46-0x00007FFDF2AD0000-0x00007FFDF2BBE000-memory.dmp

Filesize
952KB

Download
memory/3960-48-0x00000256BB5C0000-0x00000256BB5C7000-memory.dmp

Filesize
28KB

Download