dridex | f9244033cd6a59c0de137c0211e98b0adef2afc54a56cae909aad14bdfe62e55

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9244033cd6a59c0de137c0211e98b0adef2afc54a56cae909aad14bdfe62e55.dll
Size

672KB
MD5

63e9a975848446456adbf6d5a552286f
SHA1

0d51906d785e8c0388f98c298edeb8a3a68c4294
SHA256

f9244033cd6a59c0de137c0211e98b0adef2afc54a56cae909aad14bdfe62e55
SHA512

958abf84bcd4b357feaf51a6d4655a13574aa808de22d6d753bc552f64bbfdbba38a65eec2a8e8d2680fd7e5bfd5c2267e5b74a27ae0b3927860ef3f47b264ba
SSDEEP

6144:O34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:OIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3472-4-0x00000000027F0000-0x00000000027F1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2880-0-0x00007FF9EF360000-0x00007FF9EF408000-memory.dmp	dridex_payload
behavioral2/memory/3472-16-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3472-35-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3472-24-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/2880-38-0x00007FF9EF360000-0x00007FF9EF408000-memory.dmp	dridex_payload
behavioral2/memory/3372-45-0x00007FF9E03A0000-0x00007FF9E048E000-memory.dmp	dridex_payload
behavioral2/memory/3372-50-0x00007FF9E03A0000-0x00007FF9E048E000-memory.dmp	dridex_payload
behavioral2/memory/2148-62-0x00007FF9E03E0000-0x00007FF9E0489000-memory.dmp	dridex_payload
behavioral2/memory/2148-66-0x00007FF9E03E0000-0x00007FF9E0489000-memory.dmp	dridex_payload
behavioral2/memory/3912-77-0x00007FF9E0280000-0x00007FF9E036E000-memory.dmp	dridex_payload
behavioral2/memory/3912-81-0x00007FF9E0280000-0x00007FF9E036E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

CameraSettingsUIHost.exeMoUsoCoreWorker.exesystemreset.exe

pid	Process
3372	CameraSettingsUIHost.exe
2148	MoUsoCoreWorker.exe
3912	systemreset.exe

Loads dropped DLL 3 IoCs

Processes:

CameraSettingsUIHost.exeMoUsoCoreWorker.exesystemreset.exe

pid	Process
3372	CameraSettingsUIHost.exe
2148	MoUsoCoreWorker.exe
3912	systemreset.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\WORDDO~1\\3mdl\\MOUSOC~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MoUsoCoreWorker.exesystemreset.exerundll32.exeCameraSettingsUIHost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2880	rundll32.exe
2880	rundll32.exe
2880	rundll32.exe
2880	rundll32.exe
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472
Token: SeShutdownPrivilege	3472
Token: SeCreatePagefilePrivilege	3472

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3472

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3472 wrote to memory of 944	3472	98
PID 3472 wrote to memory of 944	3472	98
PID 3472 wrote to memory of 3372	3472	99
PID 3472 wrote to memory of 3372	3472	99
PID 3472 wrote to memory of 2600	3472	100
PID 3472 wrote to memory of 2600	3472	100
PID 3472 wrote to memory of 2148	3472	101
PID 3472 wrote to memory of 2148	3472	101
PID 3472 wrote to memory of 4460	3472	102
PID 3472 wrote to memory of 4460	3472	102
PID 3472 wrote to memory of 3912	3472	103
PID 3472 wrote to memory of 3912	3472	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9244033cd6a59c0de137c0211e98b0adef2afc54a56cae909aad14bdfe62e55.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:944

C:\Users\Admin\AppData\Local\rVDqb\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\rVDqb\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3372

C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
1⤵
PID:2600

C:\Users\Admin\AppData\Local\A34GYj0\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\A34GYj0\MoUsoCoreWorker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2148

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:4460

C:\Users\Admin\AppData\Local\H1p7\systemreset.exe
C:\Users\Admin\AppData\Local\H1p7\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\A34GYj0\MoUsoCoreWorker.exe

Filesize
1.6MB

MD5
47c6b45ff22b73caf40bb29392386ce3

SHA1
7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

SHA256
cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

SHA512
c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

Download Submit
C:\Users\Admin\AppData\Local\A34GYj0\XmlLite.dll

Filesize
676KB

MD5
8817f88ff181ea8fe358ee77f0c3b27e

SHA1
84fbc76048bd83c70977035f5ed57329f1e1a464

SHA256
bc25621c32ee47d2e0def17a6013d14c6e344eac0f9ab71d2f88bf8afad5a501

SHA512
444256b2805a3707598ec53ab6a2e623e71f126fb79fcdb1ae85d4714308e2c4da3d45eaf5170361921a4355916f4d642e07320dd4be27f2189bc958e1c0d55d

Download Submit
C:\Users\Admin\AppData\Local\H1p7\DUI70.dll

Filesize
952KB

MD5
e4bdd3f12c674e05761b14b3d321899a

SHA1
bbcdfecc409b90a3851c3ab3cbd8e1a2be74b005

SHA256
842e4070b665fdcb7787f0d3454fba7f5c46136f2601b662611375d84c69a019

SHA512
46d3d79ff718c9e18e40098563284c7d7ff7addcdd2f0186fe49b16f1d6fd4c41a9f66bcbe3af8a34d4dff89efb44f02ffc809be0b1d8b87ab6bcaa145ce35f8

Download Submit
C:\Users\Admin\AppData\Local\H1p7\systemreset.exe

Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Local\rVDqb\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\rVDqb\DUI70.dll

Filesize
952KB

MD5
1b9a3ee0e50afe5c5cfa20e6ed240fb5

SHA1
121d0c833f377a71c93d5c4383150e12ec9830c3

SHA256
13bbadc6f14a7234fd5d1e8b52e68db91ac6540ecec393a45e2a14aa8d18cbd3

SHA512
09ead8813593b367d1dfccab2312f2a90974a18cb47a47e55e9fe06d96478e9846b966ae76a4f6b20d07706dbd5ea698583cb0d4bdb2c0b7cdfe984fd1df995b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
a85080e980cbcb9d2cd73b61b13f7e62

SHA1
bdcf33b9da75394c0828784d2f459bbc6ee64a6e

SHA256
852c685639f85f0b6000dfbad06759f7cb58ed296562b7d5e084e00cac255511

SHA512
f70a5023661fe5c2aa0fd0cc97af2db626f8a332dae2125335950c394ed3b42b8a4ddcc43edfcf2df012db4de4380ba569db0f6be64e356961d156b3caf38c44

Download Submit
memory/2148-66-0x00007FF9E03E0000-0x00007FF9E0489000-memory.dmp

Filesize
676KB

Download
memory/2148-62-0x00007FF9E03E0000-0x00007FF9E0489000-memory.dmp

Filesize
676KB

Download
memory/2148-61-0x000002C4CF670000-0x000002C4CF677000-memory.dmp

Filesize
28KB

Download
memory/2880-38-0x00007FF9EF360000-0x00007FF9EF408000-memory.dmp

Filesize
672KB

Download
memory/2880-0-0x00007FF9EF360000-0x00007FF9EF408000-memory.dmp

Filesize
672KB

Download
memory/2880-2-0x0000023300FD0000-0x0000023300FD7000-memory.dmp

Filesize
28KB

Download
memory/3372-50-0x00007FF9E03A0000-0x00007FF9E048E000-memory.dmp

Filesize
952KB

Download
memory/3372-45-0x00007FF9E03A0000-0x00007FF9E048E000-memory.dmp

Filesize
952KB

Download
memory/3372-47-0x0000025DD0C00000-0x0000025DD0C07000-memory.dmp

Filesize
28KB

Download
memory/3472-26-0x00007FF9FDD70000-0x00007FF9FDD80000-memory.dmp

Filesize
64KB

Download
memory/3472-35-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-24-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-25-0x00007FF9FDD80000-0x00007FF9FDD90000-memory.dmp

Filesize
64KB

Download
memory/3472-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-23-0x0000000002800000-0x0000000002807000-memory.dmp

Filesize
28KB

Download
memory/3472-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3472-3-0x00007FF9FDCEA000-0x00007FF9FDCEB000-memory.dmp

Filesize
4KB

Download
memory/3472-4-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3912-81-0x00007FF9E0280000-0x00007FF9E036E000-memory.dmp

Filesize
952KB

Download
memory/3912-77-0x00007FF9E0280000-0x00007FF9E036E000-memory.dmp

Filesize
952KB

Download