dridex | a61afcc952dbc670a70569043015ae03ae3704ae4c6023bf85e2df86ec4c7763

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a61afcc952dbc670a70569043015ae03ae3704ae4c6023bf85e2df86ec4c7763.dll
Size

668KB
MD5

f1fef96e70f11bcc6f67cb15fa1d2220
SHA1

981d5a3fe6ed1b02bdd9dee4daf3d4777b17dbb2
SHA256

a61afcc952dbc670a70569043015ae03ae3704ae4c6023bf85e2df86ec4c7763
SHA512

34e7dcb270ab5cd8838c5fd036fe2fd060619f18ff33a1803e5aac3a5fedb198642ab051f8d63a9410ed8864e0ea2c2cb1c0fb968f9abed72e2cb954d1fb5258
SSDEEP

6144:+34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:+IKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3492-3-0x00000000083A0000-0x00000000083A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/616-0-0x00007FFA38540000-0x00007FFA385E7000-memory.dmp	dridex_payload
behavioral2/memory/3492-17-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/3492-35-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/3492-24-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/616-38-0x00007FFA38540000-0x00007FFA385E7000-memory.dmp	dridex_payload
behavioral2/memory/2532-45-0x00007FFA29140000-0x00007FFA291E8000-memory.dmp	dridex_payload
behavioral2/memory/2532-50-0x00007FFA29140000-0x00007FFA291E8000-memory.dmp	dridex_payload
behavioral2/memory/4596-66-0x00007FFA29140000-0x00007FFA291E8000-memory.dmp	dridex_payload
behavioral2/memory/1224-77-0x00007FFA29140000-0x00007FFA291EE000-memory.dmp	dridex_payload
behavioral2/memory/1224-81-0x00007FFA29140000-0x00007FFA291EE000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2532	Dxpserver.exe
4596	iexpress.exe
1224	FXSCOVER.exe

Loads dropped DLL 3 IoCs

pid	Process
2532	Dxpserver.exe
4596	iexpress.exe
1224	FXSCOVER.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsrvevdpr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\Sp7\\iexpress.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
616	rundll32.exe
616	rundll32.exe
616	rundll32.exe
616	rundll32.exe
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3492	Process not Found
3492	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3492	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 5080	3492	Process not Found	97
PID 3492 wrote to memory of 5080	3492	Process not Found	97
PID 3492 wrote to memory of 2532	3492	Process not Found	98
PID 3492 wrote to memory of 2532	3492	Process not Found	98
PID 3492 wrote to memory of 2436	3492	Process not Found	99
PID 3492 wrote to memory of 2436	3492	Process not Found	99
PID 3492 wrote to memory of 4596	3492	Process not Found	100
PID 3492 wrote to memory of 4596	3492	Process not Found	100
PID 3492 wrote to memory of 2732	3492	Process not Found	101
PID 3492 wrote to memory of 2732	3492	Process not Found	101
PID 3492 wrote to memory of 1224	3492	Process not Found	102
PID 3492 wrote to memory of 1224	3492	Process not Found	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a61afcc952dbc670a70569043015ae03ae3704ae4c6023bf85e2df86ec4c7763.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:616

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:5080

C:\Users\Admin\AppData\Local\C05z2WJ\Dxpserver.exe
C:\Users\Admin\AppData\Local\C05z2WJ\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2532

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2436

C:\Users\Admin\AppData\Local\Z19Ax\iexpress.exe
C:\Users\Admin\AppData\Local\Z19Ax\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4596

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:2732

C:\Users\Admin\AppData\Local\N0X\FXSCOVER.exe
C:\Users\Admin\AppData\Local\N0X\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\C05z2WJ\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\C05z2WJ\dwmapi.dll

Filesize
672KB

MD5
2a95df27269da8e5b5618efbd89d05af

SHA1
ba5abc3cce527ae254b6517abd30108537f00152

SHA256
d69251389c470947b884e6aaca90c7086f0af24f9b1bc739a25d53a8c55e65d9

SHA512
bc25f4812de86462f408ab4060b8dabc6646af05f5f632f2967df0f5519e1e30f4208a3415e841b565a93d522f5ea43c3452b100b27708a3051b006d21a96433

Download Submit
C:\Users\Admin\AppData\Local\N0X\FXSCOVER.exe

Filesize
242KB

MD5
5769f78d00f22f76a4193dc720d0b2bd

SHA1
d62b6cab057e88737cba43fe9b0c6d11a28b53e8

SHA256
40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

SHA512
b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

Download Submit
C:\Users\Admin\AppData\Local\N0X\MFC42u.dll

Filesize
696KB

MD5
ee978407041265ee40392d3f2ffe9195

SHA1
c3c25a1301df329095f2f9e2d1cac08e1cdfb7b2

SHA256
53aed6fb4d6a88efe675179e38515e909887033e75c52ba2dbc7906ee940f863

SHA512
259930c98c027c4117e437d940e483275cc613273725353ffed657a9c07cf51097b7c30787b1a94d8a195cf22de258f1e5d65a737b591210d5e6a77113b8b4e6

Download Submit
C:\Users\Admin\AppData\Local\Z19Ax\VERSION.dll

Filesize
672KB

MD5
d5587cf13e0dbc28c7539262d349dab9

SHA1
eacb2ea9710f6be0bdb6db2ff4b6a312d774deea

SHA256
158b414d50ebbbc5c8263131a3eb49bab391e0ae9c071e6b34485e7194bbb175

SHA512
a5021371179c05fa9d1444b105eafe4788886a9268ff2fef883a0d113648dca1179a8cb1ff2ea971f9febf55de3b6a03aa2316ed01c5457248659711e1ee787d

Download Submit
C:\Users\Admin\AppData\Local\Z19Ax\iexpress.exe

Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk

Filesize
1KB

MD5
ac1330a4745944127dba688d5d28403d

SHA1
b6783d091a015a34f119f770a4d6522e3443dae2

SHA256
efa29a31ba9702c11f372da22772e7ecf0b91cacff8be754468dd90e3b5fd611

SHA512
5d61285a33ccddc8a89bd9c020d63ba089f8472fd5a45d1c2d15c0be3a6e692d10dd28db320264864cd72a817bbda907bebb9ba125fff22e6cf1ba1ab99e01c8

Download Submit
memory/616-0-0x00007FFA38540000-0x00007FFA385E7000-memory.dmp

Filesize
668KB

Download
memory/616-38-0x00007FFA38540000-0x00007FFA385E7000-memory.dmp

Filesize
668KB

Download
memory/616-2-0x0000028606E00000-0x0000028606E07000-memory.dmp

Filesize
28KB

Download
memory/1224-77-0x00007FFA29140000-0x00007FFA291EE000-memory.dmp

Filesize
696KB

Download
memory/1224-81-0x00007FFA29140000-0x00007FFA291EE000-memory.dmp

Filesize
696KB

Download
memory/2532-50-0x00007FFA29140000-0x00007FFA291E8000-memory.dmp

Filesize
672KB

Download
memory/2532-47-0x00000255A12B0000-0x00000255A12B7000-memory.dmp

Filesize
28KB

Download
memory/2532-45-0x00007FFA29140000-0x00007FFA291E8000-memory.dmp

Filesize
672KB

Download
memory/3492-26-0x00007FFA46770000-0x00007FFA46780000-memory.dmp

Filesize
64KB

Download
memory/3492-24-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-7-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-6-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-5-0x00007FFA45EFA000-0x00007FFA45EFB000-memory.dmp

Filesize
4KB

Download
memory/3492-9-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-10-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-11-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-13-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-8-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-25-0x00007FFA46780000-0x00007FFA46790000-memory.dmp

Filesize
64KB

Download
memory/3492-35-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-15-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-3-0x00000000083A0000-0x00000000083A1000-memory.dmp

Filesize
4KB

Download
memory/3492-12-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-17-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3492-23-0x00000000082E0000-0x00000000082E7000-memory.dmp

Filesize
28KB

Download
memory/3492-14-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/4596-66-0x00007FFA29140000-0x00007FFA291E8000-memory.dmp

Filesize
672KB

Download
memory/4596-61-0x00000229089C0000-0x00000229089C7000-memory.dmp

Filesize
28KB

Download