dridex | b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082.dll
Size

1.4MB
MD5

ae929a0749157b4e066875db351711ef
SHA1

8aa55d7d9b43225ce5f67b31332f56c35459520d
SHA256

b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082
SHA512

3b5b6c85574e6bb6620cfc78c07b18101df0ef2e4e9d8f8f1affa83c0b8cfc4557a86338bed9467ddabcb6c7b98ebfd972cd1d0031ae927436629fabb8e39c34
SSDEEP

12288:nkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:nkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-4-0x0000000002230000-0x0000000002231000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2060-1-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/1192-27-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/1192-39-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/1192-38-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/2060-47-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/2736-57-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral1/memory/2736-59-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral1/memory/2064-76-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral1/memory/1884-90-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizard.exedwm.exeSystemPropertiesProtection.exe

pid	Process
2736	BitLockerWizard.exe
2064	dwm.exe
1884	SystemPropertiesProtection.exe

Loads dropped DLL 7 IoCs

Processes:

BitLockerWizard.exedwm.exeSystemPropertiesProtection.exe

pid	Process
1192
2736	BitLockerWizard.exe
1192
2064	dwm.exe
1192
1884	SystemPropertiesProtection.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\vrioL\\dwm.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BitLockerWizard.exedwm.exeSystemPropertiesProtection.exerundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1192 wrote to memory of 2856	1192	29
PID 1192 wrote to memory of 2856	1192	29
PID 1192 wrote to memory of 2856	1192	29
PID 1192 wrote to memory of 2736	1192	30
PID 1192 wrote to memory of 2736	1192	30
PID 1192 wrote to memory of 2736	1192	30
PID 1192 wrote to memory of 2132	1192	31
PID 1192 wrote to memory of 2132	1192	31
PID 1192 wrote to memory of 2132	1192	31
PID 1192 wrote to memory of 2064	1192	32
PID 1192 wrote to memory of 2064	1192	32
PID 1192 wrote to memory of 2064	1192	32
PID 1192 wrote to memory of 2456	1192	33
PID 1192 wrote to memory of 2456	1192	33
PID 1192 wrote to memory of 2456	1192	33
PID 1192 wrote to memory of 1884	1192	34
PID 1192 wrote to memory of 1884	1192	34
PID 1192 wrote to memory of 1884	1192	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2856

C:\Users\Admin\AppData\Local\QjlaYVExI\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\QjlaYVExI\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2736

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2132

C:\Users\Admin\AppData\Local\u6haZYW\dwm.exe
C:\Users\Admin\AppData\Local\u6haZYW\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2064

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:2456

C:\Users\Admin\AppData\Local\mCG6bAvu6\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\mCG6bAvu6\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QjlaYVExI\BitLockerWizard.exe

Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
C:\Users\Admin\AppData\Local\QjlaYVExI\FVEWIZ.dll

Filesize
1.4MB

MD5
e8568575ebfd96108b54957269c1d6f9

SHA1
918b67202024d5f817e9654ed779abdbbaf57490

SHA256
d87ab455a78c069eec537fa9f28fa0efa1f980a99d6fe4368ea2fad9ef5b59e9

SHA512
013e2bc09b8c4b5fd95512645b45804f6755aea30eebcbac3f0e3e0ea449c7749659285d6801ec3d69111bb1d2b3d15cd214fa454e1dd0ec177688ab6c10f23b

Download Submit
C:\Users\Admin\AppData\Local\mCG6bAvu6\SYSDM.CPL

Filesize
1.4MB

MD5
56c9452be7b54c8c5d1f1d50cde4ce51

SHA1
0c7b0fa15856cd542f54b55aaf52c837e4f19407

SHA256
ba154cd401ca900fbcfe76944ce376c3700cc1eb8f92482b24f7bf70a5b8c1e4

SHA512
5ee820196a334878eff244defc8cbdba3f26029c4a9c704b95449c604e3d3bf7f5d5a6625414d5facead42ef9fdc4d475098d42bc2065401d400d6329807f273

Download Submit
C:\Users\Admin\AppData\Local\u6haZYW\UxTheme.dll

Filesize
1.4MB

MD5
1c68a9415ac779cfe0d7d9721c4045cd

SHA1
e618872d7b01a967ec7dab0d45b4eb9b7c588a0a

SHA256
ed3eb8dfcfe6b3687b3a487c5279ae1ab30bd7c3305fd043e3c989da2f9fbfd2

SHA512
88574054b8f3b371715aca86ea250087411d1108502319019124453d6894487e1d2961c19a1247f329c3649fdc67f1d644326ef97367b34944092c302ae5ed13

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
791B

MD5
4bd2585e4cbdbdc7180d049a965bcd01

SHA1
c229774d89cd55acc04ea24eaa19ad0b433390ae

SHA256
98c77000af7d1d88a799759cf5e5d34ee68230441c90b8fe46fdcdc9982dc607

SHA512
4ceae58e561a7770af5b5949e8387d912f9cd6186b6cd3cd41ca9fbf5df9af29b27ef4a4177a1c51246929c4bd35b614c8de831f2405e7e2d542f9bda1293795

Download Submit
\Users\Admin\AppData\Local\mCG6bAvu6\SystemPropertiesProtection.exe

Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\u6haZYW\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
memory/1192-7-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-38-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-26-0x0000000002210000-0x0000000002217000-memory.dmp

Filesize
28KB

Download
memory/1192-16-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-27-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-15-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-14-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-13-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-12-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-10-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-8-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-3-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1192-29-0x0000000077E00000-0x0000000077E02000-memory.dmp

Filesize
8KB

Download
memory/1192-28-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/1192-39-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-17-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-4-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1192-48-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1192-9-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-18-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-6-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1192-11-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1884-90-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2060-47-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2060-1-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2060-0-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/2064-76-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2736-59-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2736-57-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2736-56-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download