dridex | 9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll
Size

1.2MB
MD5

02cc0f2d0a0c7407558ac5a569c4e04c
SHA1

4b7060c03c224e42c420651368c73dbddcc3a3e3
SHA256

9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7
SHA512

ac134e657c9ec47511245fdcbf717221a83eda2faea7e57560a59e212efa9312f4f13abc29b81be6210405680f507c5d921c4f6fe9ec933249c093e342eef554
SSDEEP

6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTI:kIKp/UWCZdCDh2IZDwAFRpR6Aup

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3456-4-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2672-1-0x00007FF917F90000-0x00007FF9180C3000-memory.dmp	dridex_payload
behavioral2/memory/3456-26-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/3456-18-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/3456-37-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/2672-40-0x00007FF917F90000-0x00007FF9180C3000-memory.dmp	dridex_payload
behavioral2/memory/4004-48-0x00007FF909AD0000-0x00007FF909C05000-memory.dmp	dridex_payload
behavioral2/memory/4004-51-0x00007FF909AD0000-0x00007FF909C05000-memory.dmp	dridex_payload
behavioral2/memory/4416-60-0x00007FF9092F0000-0x00007FF909424000-memory.dmp	dridex_payload
behavioral2/memory/4416-65-0x00007FF9092F0000-0x00007FF909424000-memory.dmp	dridex_payload
behavioral2/memory/2604-76-0x00007FF9088F0000-0x00007FF908A24000-memory.dmp	dridex_payload
behavioral2/memory/2604-80-0x00007FF9088F0000-0x00007FF908A24000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4004	mmc.exe
4416	cttune.exe
2604	DisplaySwitch.exe

Loads dropped DLL 3 IoCs

pid	Process
4004	mmc.exe
4416	cttune.exe
2604	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\PVmCD\\cttune.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3456	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1176	3456	Process not Found	87
PID 3456 wrote to memory of 1176	3456	Process not Found	87
PID 3456 wrote to memory of 4004	3456	Process not Found	88
PID 3456 wrote to memory of 4004	3456	Process not Found	88
PID 3456 wrote to memory of 4864	3456	Process not Found	93
PID 3456 wrote to memory of 4864	3456	Process not Found	93
PID 3456 wrote to memory of 4416	3456	Process not Found	94
PID 3456 wrote to memory of 4416	3456	Process not Found	94
PID 3456 wrote to memory of 4136	3456	Process not Found	96
PID 3456 wrote to memory of 4136	3456	Process not Found	96
PID 3456 wrote to memory of 2604	3456	Process not Found	97
PID 3456 wrote to memory of 2604	3456	Process not Found	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:1176

C:\Users\Admin\AppData\Local\jyIiiepfH\mmc.exe
C:\Users\Admin\AppData\Local\jyIiiepfH\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4004

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:4864

C:\Users\Admin\AppData\Local\3ZS1WJ6Go\cttune.exe
C:\Users\Admin\AppData\Local\3ZS1WJ6Go\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4416

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:4136

C:\Users\Admin\AppData\Local\X2l\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\X2l\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3ZS1WJ6Go\UxTheme.dll

Filesize
1.2MB

MD5
789c84c27b4e9573db749f48de8a4279

SHA1
6912737f11854c36b6ddb925aa8d4db5b73f1954

SHA256
2ad9902a737b056fdabb9d63653b710b7e5664da8bf9da69e6fb7a6f0a6e7295

SHA512
410a44fef72b412001b5581cb1a067785546ee785e4bfbcfb6bc873ad11bf744fdc8d2c7a74ccd198e350d606442ee2ee1c2682c492537884fcd7de12be033aa

Download Submit
C:\Users\Admin\AppData\Local\3ZS1WJ6Go\cttune.exe

Filesize
90KB

MD5
fa924465a33833f41c1a39f6221ba460

SHA1
801d505d81e49d2b4ffa316245ca69ff58c523c3

SHA256
de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da

SHA512
eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

Download Submit
C:\Users\Admin\AppData\Local\X2l\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\X2l\dwmapi.dll

Filesize
1.2MB

MD5
432ce7407f87e485f88c898a24d22905

SHA1
5174ddd5195d96c2613728f6a85cfe21af37ac08

SHA256
e16be823bb5a617c58e78a040cba16b2e2682f6a1cc18558df2907b9ee5b2444

SHA512
e824468f70053f51c48e79c4d692eca0735563b4f79e950f9bed6f072a57ee95be539c56c58a17a63f3b12d10c3e3cd599ed05997314693e500dba4b9d2281f3

Download Submit
C:\Users\Admin\AppData\Local\jyIiiepfH\DUser.dll

Filesize
1.2MB

MD5
d25fa016db1171ca4756e53ba9d73291

SHA1
ae3f155681546fa9784b78dd37a34cd2dc676c45

SHA256
cb9da523eef08175a67287e14bea2d5bbc3bfe24d212eff78c18a518c11f4097

SHA512
4446f100fea5c261c20a60036508db3f02816d5bc45396dbc817fa4fc9a97030854d0d1ed270db63a1ad8256ad7712cf3103ab08a5359efb4f9e25d0fe2ece8b

Download Submit
C:\Users\Admin\AppData\Local\jyIiiepfH\mmc.exe

Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
497800502742b07cd6a20d665a98a85a

SHA1
acad503a1649e9a27df5e4d453b2a9169ea8a36b

SHA256
80909bbac09ab64609d48d08b549bb879bc841cf3f09ea6eebb505b6edb85978

SHA512
fa4ff2d184f69a820c78c00319830dfd044987332ef17429f4a0b15f6ae9ebcbb66ffa555a1b619ae1e0e1ca02079777cdd7da8af571f580205296b722fbb7c0

Download Submit
memory/2604-80-0x00007FF9088F0000-0x00007FF908A24000-memory.dmp

Filesize
1.2MB

Download
memory/2604-76-0x00007FF9088F0000-0x00007FF908A24000-memory.dmp

Filesize
1.2MB

Download
memory/2672-0-0x00000243D2050000-0x00000243D2057000-memory.dmp

Filesize
28KB

Download
memory/2672-1-0x00007FF917F90000-0x00007FF9180C3000-memory.dmp

Filesize
1.2MB

Download
memory/2672-40-0x00007FF917F90000-0x00007FF9180C3000-memory.dmp

Filesize
1.2MB

Download
memory/3456-8-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-37-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-12-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-11-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-10-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-9-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-27-0x00007FF927800000-0x00007FF927810000-memory.dmp

Filesize
64KB

Download
memory/3456-7-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-18-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-25-0x0000000000810000-0x0000000000817000-memory.dmp

Filesize
28KB

Download
memory/3456-28-0x00007FF9277F0000-0x00007FF927800000-memory.dmp

Filesize
64KB

Download
memory/3456-26-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-14-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-13-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/3456-3-0x00007FF925EAA000-0x00007FF925EAB000-memory.dmp

Filesize
4KB

Download
memory/3456-15-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-17-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-6-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3456-16-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/4004-50-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/4004-51-0x00007FF909AD0000-0x00007FF909C05000-memory.dmp

Filesize
1.2MB

Download
memory/4004-48-0x00007FF909AD0000-0x00007FF909C05000-memory.dmp

Filesize
1.2MB

Download
memory/4416-65-0x00007FF9092F0000-0x00007FF909424000-memory.dmp

Filesize
1.2MB

Download
memory/4416-60-0x00007FF9092F0000-0x00007FF909424000-memory.dmp

Filesize
1.2MB

Download
memory/4416-62-0x0000027FD92A0000-0x0000027FD92A7000-memory.dmp

Filesize
28KB

Download