dridex | 02381d7d554ad7da5ee83db9cb0de32a4c83a05525750c8a89d8152a383725be

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02381d7d554ad7da5ee83db9cb0de32a4c83a05525750c8a89d8152a383725be.dll
Size

1.4MB
MD5

48ed0fa711c99b5dd370d33fd7283d7e
SHA1

afc37df20ce5ebeff233832df9e90027589efddb
SHA256

02381d7d554ad7da5ee83db9cb0de32a4c83a05525750c8a89d8152a383725be
SHA512

c6a8e79fc63d5354221e45ea9e2cde1e079f4916f0cb53377b131f3d477fcb3d6650f79cd10fa8331e36947e335c032755027db07916d0c40d55c56553082935
SSDEEP

12288:TkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:TkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3456-3-0x0000000002020000-0x0000000002021000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/3344-1-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3456-27-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3456-39-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3344-41-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3452-48-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/3452-52-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/2460-69-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/3564-80-0x0000000140000000-0x00000001401AD000-memory.dmp	dridex_payload
behavioral2/memory/3564-84-0x0000000140000000-0x00000001401AD000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3452	CloudNotifications.exe
2460	EhStorAuthn.exe
3564	sessionmsg.exe

Loads dropped DLL 3 IoCs

pid	Process
3452	CloudNotifications.exe
2460	EhStorAuthn.exe
3564	sessionmsg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmqwm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\7PgNs0\\EhStorAuthn.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3344	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3456	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 2432	3456	Process not Found	94
PID 3456 wrote to memory of 2432	3456	Process not Found	94
PID 3456 wrote to memory of 3452	3456	Process not Found	95
PID 3456 wrote to memory of 3452	3456	Process not Found	95
PID 3456 wrote to memory of 1832	3456	Process not Found	96
PID 3456 wrote to memory of 1832	3456	Process not Found	96
PID 3456 wrote to memory of 2460	3456	Process not Found	97
PID 3456 wrote to memory of 2460	3456	Process not Found	97
PID 3456 wrote to memory of 4412	3456	Process not Found	98
PID 3456 wrote to memory of 4412	3456	Process not Found	98
PID 3456 wrote to memory of 3564	3456	Process not Found	99
PID 3456 wrote to memory of 3564	3456	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\02381d7d554ad7da5ee83db9cb0de32a4c83a05525750c8a89d8152a383725be.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:2432

C:\Users\Admin\AppData\Local\Tr5XU\CloudNotifications.exe
C:\Users\Admin\AppData\Local\Tr5XU\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3452

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1832

C:\Users\Admin\AppData\Local\qrBZ\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\qrBZ\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2460

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:4412

C:\Users\Admin\AppData\Local\eRMq\sessionmsg.exe
C:\Users\Admin\AppData\Local\eRMq\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tr5XU\CloudNotifications.exe

Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\Tr5XU\UxTheme.dll

Filesize
1.4MB

MD5
3196964e1c26684f7a8d200021f72e30

SHA1
7653d43127f773504f3ce9c572ebd1f0b7ddf68e

SHA256
07a50ca0a4d495eff1c604eb000895f67f0180a2d6e4c5229dcfe597b51b0d17

SHA512
986bba2d34565b9de55b6fccae7028622546892d602910291c43acd7f7af8b38b2e8c68604f89dd1af076929a9e82fd33d546163b80af6982385f20b0d06dcd2

Download Submit
C:\Users\Admin\AppData\Local\eRMq\DUI70.dll

Filesize
1.7MB

MD5
fff6a34127e321775e4fb7286616ea41

SHA1
b5626a737e159156b9153a5282b61798e6e59ca5

SHA256
e99e4ef4bbd08d4e9fef10679f79726ff8352c39c5436c92a7997a226de4ca26

SHA512
80661c8727a1562b8cd7e344efd400848ce0bb9b7c503f5a7b2c6ccb29ee2a36b0cd42d3d5a0b71745b953a98e0cb3a3dc6d72ab319f2723dc39e1c943e1889c

Download Submit
C:\Users\Admin\AppData\Local\eRMq\sessionmsg.exe

Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Local\qrBZ\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\qrBZ\UxTheme.dll

Filesize
1.4MB

MD5
02463bf030d8169edc83f93e75f8a019

SHA1
2a360216c2cbb014d08d4d8b0dc20873ae79720c

SHA256
15d8a88c063267fe912a613b8cf974e26485904d9de1f98edcd233ca6ff21788

SHA512
42fd602a68c27cf59b07676556937377a3044d8603ec12ac7c2c0270e5db0451b75640810cdbbd7b782dcf71ddd915d130c0e01ffa2e411f567189430d1f0c97

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk

Filesize
1KB

MD5
88036677cd042a744fdfd491f69d7b5c

SHA1
292d10ddea54ddf5c43226420ae82cfeeda4a6f8

SHA256
55734d1696aeb72aa10711464ccff29598b5421236b0b5a0a5b3167ec13a8de7

SHA512
21a4163821e05e10eb76f48cf7038fa47897e585374b82c3f9d3efa435b1295a8e15cad3580f54ad921cb41070351935b2cf45a7ca5e67aef0b3e2fe789116a9

Download Submit
memory/2460-66-0x0000014D40AE0000-0x0000014D40AE7000-memory.dmp

Filesize
28KB

Download
memory/2460-69-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3344-41-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3344-1-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3344-2-0x0000020E88CE0000-0x0000020E88CE7000-memory.dmp

Filesize
28KB

Download
memory/3452-52-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3452-50-0x000002A3AFC60000-0x000002A3AFC67000-memory.dmp

Filesize
28KB

Download
memory/3452-48-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3456-16-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-12-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-6-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-27-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-29-0x00007FFBCA4F0000-0x00007FFBCA500000-memory.dmp

Filesize
64KB

Download
memory/3456-28-0x00007FFBCA500000-0x00007FFBCA510000-memory.dmp

Filesize
64KB

Download
memory/3456-39-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-7-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-8-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-9-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-10-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-11-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-13-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-15-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-26-0x0000000001FE0000-0x0000000001FE7000-memory.dmp

Filesize
28KB

Download
memory/3456-18-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-17-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-14-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-3-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3456-5-0x00007FFBCA44A000-0x00007FFBCA44B000-memory.dmp

Filesize
4KB

Download
memory/3564-84-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3564-80-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download