dridex | f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8.dll
Size

677KB
MD5

155d603dd9fd58ebe24a854d6597e345
SHA1

3c43fdaa5916faf0aa144f918e71620b66b4c3d3
SHA256

f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8
SHA512

e0b43c7a69318b198b63e821bf0543bfbb4e414c8084ee1b6b3aa4bbd0f3c8ee52723ab0496308bbba8411b2ac361c42b3c110c95165367e187b25e94f1148e3
SSDEEP

12288:bMotqoDpGg+O0HCmTkLK+qIRl+lC0fVtN86WCjt:IotMg+OsCoiK+9l+lhTTWC

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3572-3-0x0000000002A60000-0x0000000002A61000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4984-0-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/3572-27-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/3572-38-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/4984-41-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/3344-48-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/3344-53-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/3172-69-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/2356-80-0x0000000140000000-0x00000001400F6000-memory.dmp	dridex_payload
behavioral2/memory/2356-84-0x0000000140000000-0x00000001400F6000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rstrui.exesppsvc.exebdeunlock.exe

pid	Process
3344	rstrui.exe
3172	sppsvc.exe
2356	bdeunlock.exe

Loads dropped DLL 3 IoCs

Processes:

rstrui.exesppsvc.exebdeunlock.exe

pid	Process
3344	rstrui.exe
3172	sppsvc.exe
2356	bdeunlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\bZmQlPv\\sppsvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerstrui.exesppsvc.exebdeunlock.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
4984	rundll32.exe
4984	rundll32.exe
4984	rundll32.exe
4984	rundll32.exe
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3572
Token: SeCreatePagefilePrivilege	3572
Token: SeShutdownPrivilege	3572
Token: SeCreatePagefilePrivilege	3572
Token: SeShutdownPrivilege	3572
Token: SeCreatePagefilePrivilege	3572
Token: SeShutdownPrivilege	3572
Token: SeCreatePagefilePrivilege	3572
Token: SeShutdownPrivilege	3572
Token: SeCreatePagefilePrivilege	3572
Token: SeShutdownPrivilege	3572
Token: SeCreatePagefilePrivilege	3572

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3572

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	procid_target
PID 3572 wrote to memory of 1584	3572	94
PID 3572 wrote to memory of 1584	3572	94
PID 3572 wrote to memory of 3344	3572	95
PID 3572 wrote to memory of 3344	3572	95
PID 3572 wrote to memory of 3172	3572	97
PID 3572 wrote to memory of 3172	3572	97
PID 3572 wrote to memory of 452	3572	98
PID 3572 wrote to memory of 452	3572	98
PID 3572 wrote to memory of 2356	3572	99
PID 3572 wrote to memory of 2356	3572	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:1584

C:\Users\Admin\AppData\Local\2fJWl6XuP\rstrui.exe
C:\Users\Admin\AppData\Local\2fJWl6XuP\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3344

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:3080

C:\Users\Admin\AppData\Local\0G1sy\sppsvc.exe
C:\Users\Admin\AppData\Local\0G1sy\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3172

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:452

C:\Users\Admin\AppData\Local\3crWNu\bdeunlock.exe
C:\Users\Admin\AppData\Local\3crWNu\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0G1sy\XmlLite.dll

Filesize
678KB

MD5
a53b50c5f871797c8588ba19624ba6bf

SHA1
96fd57c5d2f16c5ef636dea760305d5570a568c8

SHA256
436b142f3aab12b5d8212fd8a01d2b3c966c666dc27bacadbc1bf3a5d21805f5

SHA512
009059db14ab5c75de1bdbed8af8798f7969a77e3d38676643e5771394e7d1e4993aee05f0aa330ecdb50e3165d69891848aa401ea766ff89554400cd4e94e67

Download Submit
C:\Users\Admin\AppData\Local\0G1sy\sppsvc.exe

Filesize
4.4MB

MD5
ec6cef0a81f167668e18fa32f1606fce

SHA1
6d56837a388ae5573a38a439cee16e6dde5b4de8

SHA256
82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

SHA512
f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

Download Submit
C:\Users\Admin\AppData\Local\2fJWl6XuP\SRCORE.dll

Filesize
678KB

MD5
929fbfad98ac0381a1d1b24f42167bc8

SHA1
b96e640626fb51b28e2178083aabd69feda4f660

SHA256
d4b7121a2d79e7b96d4bb461a8e0da47a1182012473773ffb28046501c3a1408

SHA512
a756782d8189f6d93bced7f5ac4b80323aa7af37288f566deee0ecb028d9af3f06ede9a44d8a90bf8a4523de723deb105a6ef49f2de7ae2f2a225d693c83631a

Download Submit
C:\Users\Admin\AppData\Local\2fJWl6XuP\rstrui.exe

Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Local\3crWNu\DUI70.dll

Filesize
954KB

MD5
54ae0ec24ada59f1c02f53d8a1a386c8

SHA1
62f5b5e22141942e41ba3a8dc9fcadfc7a50b3a6

SHA256
cae12550fb91838101e6857699c35bf1cad79c9b436e7528e19ccc0639b4c8bb

SHA512
759b8b0af60d242e99db3a21bf2b1364e0950858fcc82cd2e706a18b9e4766be50b12283fe4abde947c4b5c16d640d9e5535e7a8dd04a62fdabc2b9c2521537a

Download Submit
C:\Users\Admin\AppData\Local\3crWNu\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
d1cdf103107add38472c6b3c9f579cf4

SHA1
7d00a5771a9907efe38947d799167ccd5a5639f2

SHA256
7ace7ed71330d0134eb89f76829ec3965ba0d8e565b27b70edec29edabcbb7d5

SHA512
744fd50f2737ac9606d9da6f1bb497b1b47bc0792271c5d0653b4abb61c2b976a1e0845babb04d337daaab8d112103ec3d207cb829ccda7f605d84a6ac996f31

Download Submit
memory/2356-80-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/2356-84-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3172-66-0x000001BD99DD0000-0x000001BD99DD7000-memory.dmp

Filesize
28KB

Download
memory/3172-69-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3344-53-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3344-48-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3344-50-0x000002034E100000-0x000002034E107000-memory.dmp

Filesize
28KB

Download
memory/3572-18-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-14-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-9-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-8-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-7-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-6-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-38-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-5-0x00007FFC9C3CA000-0x00007FFC9C3CB000-memory.dmp

Filesize
4KB

Download
memory/3572-11-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-12-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-13-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-10-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-17-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-3-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3572-31-0x0000000002360000-0x0000000002367000-memory.dmp

Filesize
28KB

Download
memory/3572-32-0x00007FFC9CB90000-0x00007FFC9CBA0000-memory.dmp

Filesize
64KB

Download
memory/3572-27-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-16-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3572-15-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/4984-2-0x000001F35C9C0000-0x000001F35C9C7000-memory.dmp

Filesize
28KB

Download
memory/4984-41-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/4984-0-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download