dridex | cb0a5e0097de33fa6f57dbf7ccaf9034c66400a825375093d5fb0a139968087c

Analysis

max time kernel
150s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb0a5e0097de33fa6f57dbf7ccaf9034c66400a825375093d5fb0a139968087c.dll
Size

980KB
MD5

2f7056cdf2abb1bc979d8c4ebf8ab217
SHA1

aca864752fe83b828993a8f4c03ec0b80f13254e
SHA256

cb0a5e0097de33fa6f57dbf7ccaf9034c66400a825375093d5fb0a139968087c
SHA512

b6cc46f3abd4164b759ab0f777e04412a5df96a2c81f946b5ccd7d47409c8ab91d75f58804311516254f7965d0547803a2840b182292576f18d2a932fb1a410d
SSDEEP

24576:qEwXnOAx5HcDM1Sxd3ChCHg2/P9yGoch:dbM1SzCoZ4Gdh

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3408-3-0x0000000008910000-0x0000000008911000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4544-0-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral2/memory/3408-25-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral2/memory/3408-36-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral2/memory/4544-39-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral2/memory/3292-46-0x0000000140000000-0x000000014013B000-memory.dmp	dridex_payload
behavioral2/memory/3292-51-0x0000000140000000-0x000000014013B000-memory.dmp	dridex_payload
behavioral2/memory/2936-62-0x0000000140000000-0x00000001400F6000-memory.dmp	dridex_payload
behavioral2/memory/2936-67-0x0000000140000000-0x00000001400F6000-memory.dmp	dridex_payload
behavioral2/memory/3028-82-0x0000000140000000-0x00000001400F6000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3292	bdechangepin.exe
2936	AgentService.exe
3028	ddodiag.exe

Loads dropped DLL 3 IoCs

pid	Process
3292	bdechangepin.exe
2936	AgentService.exe
3028	ddodiag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qiqbxsgjw = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\HUCRZZ~1\\AGENTS~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
4544	rundll32.exe
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3408	Process not Found
3408	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3408	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 4404	3408	Process not Found	95
PID 3408 wrote to memory of 4404	3408	Process not Found	95
PID 3408 wrote to memory of 3292	3408	Process not Found	96
PID 3408 wrote to memory of 3292	3408	Process not Found	96
PID 3408 wrote to memory of 4680	3408	Process not Found	97
PID 3408 wrote to memory of 4680	3408	Process not Found	97
PID 3408 wrote to memory of 2936	3408	Process not Found	98
PID 3408 wrote to memory of 2936	3408	Process not Found	98
PID 3408 wrote to memory of 1868	3408	Process not Found	99
PID 3408 wrote to memory of 1868	3408	Process not Found	99
PID 3408 wrote to memory of 3028	3408	Process not Found	100
PID 3408 wrote to memory of 3028	3408	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb0a5e0097de33fa6f57dbf7ccaf9034c66400a825375093d5fb0a139968087c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4544

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:4404

C:\Users\Admin\AppData\Local\Yiy\bdechangepin.exe
C:\Users\Admin\AppData\Local\Yiy\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:4680

C:\Users\Admin\AppData\Local\9rwS\AgentService.exe
C:\Users\Admin\AppData\Local\9rwS\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2936

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:1868

C:\Users\Admin\AppData\Local\MsW\ddodiag.exe
C:\Users\Admin\AppData\Local\MsW\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9rwS\ACTIVEDS.dll

Filesize
984KB

MD5
63c65a3619599a4b4b2ce3b15f7e99e5

SHA1
48e95600081c2c9260c046e641c345e520730448

SHA256
cdd9565c24f95e5bbd50c5a824a0a0e3b483c3ae79541f7600c5ff97e1f6ee21

SHA512
d52d419b21050bc11c7a83dc8a42194513738a1d239042e365e26bfa6b73be3140ca8ca28d4bff7c82f2a3804284d360308aa2d3233c904241de2e39a0261bc7

Download Submit
C:\Users\Admin\AppData\Local\9rwS\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Local\MsW\XmlLite.dll

Filesize
984KB

MD5
da20903a2151596dc1a73055289fb4e0

SHA1
91ec89c89d16eac8fc2e11c629a72c04c990ba2a

SHA256
c78f27d7348ba6e7ba4078c2435ff3344037a17d12b2199b02e59d5e6ccd8a61

SHA512
9d9694d3d3d1ab82de8de149313af26e0128007c371e05f540b4dcccc8e82802f4f165657d320c69d003b67164e2453ee2a9dcd5bcf434d2820295bb6fe3650e

Download Submit
C:\Users\Admin\AppData\Local\MsW\ddodiag.exe

Filesize
39KB

MD5
85feee634a6aee90f0108e26d3d9bc1f

SHA1
a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

SHA256
99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

SHA512
b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

Download Submit
C:\Users\Admin\AppData\Local\Yiy\DUI70.dll

Filesize
1.2MB

MD5
d6c78ee6052b94f6516799b79a0a1b66

SHA1
946c874678c11f837a157c170a9b3f49958a5b47

SHA256
d17b64858b9790b8257f8348134271598f540bdb8416b9cf86172b79f2c77825

SHA512
de605dc7dce0c2c92ca73c9676ed133ad0ca3179d064a54e5ee5e7a33c914f31b7e6db080d624e88406a8f60af6b00333263ac1256a0e08d7bbdaa190ffa690d

Download Submit
C:\Users\Admin\AppData\Local\Yiy\bdechangepin.exe

Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk

Filesize
1KB

MD5
d0ee6a3661f1b7ba7235b0e782384311

SHA1
e255a02ad4918c2142b00a2a53abd9f444c4e230

SHA256
a108f006bf8d9b1641bf5582401bbf89484f54c1ce04b3d876a906f9a1ce48ce

SHA512
184a47336db7ace70d276233788e3ea1d367c15a1c0476b3b6c88777950313ecc491d0ea1a71409698f13ffdcb28a1794cfba84ba3d282e1bd23b208c7ba696b

Download Submit
memory/2936-67-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/2936-62-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/2936-64-0x00000213029A0000-0x00000213029A7000-memory.dmp

Filesize
28KB

Download
memory/3028-82-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3292-51-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3292-48-0x000001A05BB40000-0x000001A05BB47000-memory.dmp

Filesize
28KB

Download
memory/3292-46-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3408-36-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-24-0x00000000088F0000-0x00000000088F7000-memory.dmp

Filesize
28KB

Download
memory/3408-8-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-6-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-5-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-3-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/3408-10-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-11-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-12-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-13-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-14-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-15-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-23-0x00007FFA36EBA000-0x00007FFA36EBB000-memory.dmp

Filesize
4KB

Download
memory/3408-7-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-26-0x00007FFA38DA0000-0x00007FFA38DB0000-memory.dmp

Filesize
64KB

Download
memory/3408-27-0x00007FFA38D90000-0x00007FFA38DA0000-memory.dmp

Filesize
64KB

Download
memory/3408-9-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/3408-25-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/4544-0-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/4544-39-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/4544-2-0x000001F54DC60000-0x000001F54DC67000-memory.dmp

Filesize
28KB

Download