dridex | d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26.dll
Size

1.4MB
MD5

460853dc2d4eb8c6ef969468e96d4848
SHA1

1cf879eaffda5e86c10851318b6aced388609191
SHA256

d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26
SHA512

481935aaf938dca27ff8fc91ea0d905db8c7d9036be72e2ac5eaa449ddfde7a8d074f9d20d51a11a1f850d11730c9f2a0e18ca3bfa99ea2455b573a45cd2182e
SSDEEP

12288:vkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:vkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3356-4-0x00000000078E0000-0x00000000078E1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/640-2-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3356-27-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3356-38-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/640-41-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3116-49-0x0000000140000000-0x0000000140169000-memory.dmp	dridex_payload
behavioral2/memory/3116-53-0x0000000140000000-0x0000000140169000-memory.dmp	dridex_payload
behavioral2/memory/5092-65-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/5092-69-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/4912-84-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3116	wbengine.exe
5092	wextract.exe
4912	Dxpserver.exe

Loads dropped DLL 3 IoCs

pid	Process
3116	wbengine.exe
5092	wextract.exe
4912	Dxpserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Qc\\wextract.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found
3356	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3356	Process not Found
Token: SeCreatePagefilePrivilege	3356	Process not Found
Token: SeShutdownPrivilege	3356	Process not Found
Token: SeCreatePagefilePrivilege	3356	Process not Found
Token: SeShutdownPrivilege	3356	Process not Found
Token: SeCreatePagefilePrivilege	3356	Process not Found
Token: SeShutdownPrivilege	3356	Process not Found
Token: SeCreatePagefilePrivilege	3356	Process not Found
Token: SeShutdownPrivilege	3356	Process not Found
Token: SeCreatePagefilePrivilege	3356	Process not Found
Token: SeShutdownPrivilege	3356	Process not Found
Token: SeCreatePagefilePrivilege	3356	Process not Found
Token: SeShutdownPrivilege	3356	Process not Found
Token: SeCreatePagefilePrivilege	3356	Process not Found
Token: SeShutdownPrivilege	3356	Process not Found
Token: SeCreatePagefilePrivilege	3356	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3356	Process not Found
3356	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3356	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 1756	3356	Process not Found	95
PID 3356 wrote to memory of 1756	3356	Process not Found	95
PID 3356 wrote to memory of 3116	3356	Process not Found	96
PID 3356 wrote to memory of 3116	3356	Process not Found	96
PID 3356 wrote to memory of 4316	3356	Process not Found	97
PID 3356 wrote to memory of 4316	3356	Process not Found	97
PID 3356 wrote to memory of 5092	3356	Process not Found	98
PID 3356 wrote to memory of 5092	3356	Process not Found	98
PID 3356 wrote to memory of 3492	3356	Process not Found	99
PID 3356 wrote to memory of 3492	3356	Process not Found	99
PID 3356 wrote to memory of 4912	3356	Process not Found	100
PID 3356 wrote to memory of 4912	3356	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:1756

C:\Users\Admin\AppData\Local\WZDhyS\wbengine.exe
C:\Users\Admin\AppData\Local\WZDhyS\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3116

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:4316

C:\Users\Admin\AppData\Local\1D8ZnD\wextract.exe
C:\Users\Admin\AppData\Local\1D8ZnD\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5092

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:3492

C:\Users\Admin\AppData\Local\Vjn\Dxpserver.exe
C:\Users\Admin\AppData\Local\Vjn\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1D8ZnD\VERSION.dll

Filesize
1.4MB

MD5
d19e456184953cfd4e3522cd86919ae5

SHA1
0fd65552d935d9dd7c0a3f1de9f20a2615a059c5

SHA256
e00ae1fbee9569ef45dea95aa3e729524c4593076c04bfd273edd643a91defa7

SHA512
f0cd204369690496a400dc90bcdd407b28879ce8b006a7b9dcfdea2651396d3b0567768cfff94dadd4b35e6bd1dd92e203adff93b4f8a077f1b4b225056e3def

Download Submit
C:\Users\Admin\AppData\Local\1D8ZnD\wextract.exe

Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Local\Vjn\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\Vjn\XmlLite.dll

Filesize
1.4MB

MD5
79dd52218ca9da19f3ec2e2b06d2aa2a

SHA1
63b95a02a4f5fbdd8f8c50f2d9b94f4e858bc505

SHA256
517687b7d7c0a6ec33eadd05515cd8d2f7506dc2371906e18f253d3af6587fb7

SHA512
568ffe911c3c7512e204dcf17b788a9879c3bfb04672a2c98426cf6d03e45db8f92a11141a60831093b50719c4754059c40bcea134b67df6b356111f4ac3b9b2

Download Submit
C:\Users\Admin\AppData\Local\WZDhyS\wbengine.exe

Filesize
1.5MB

MD5
17270a354a66590953c4aac1cf54e507

SHA1
715babcc8e46b02ac498f4f06df7937904d9798d

SHA256
9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

SHA512
6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

Download Submit
C:\Users\Admin\AppData\Local\WZDhyS\wer.dll

Filesize
1.4MB

MD5
ecad6fb9628048ab63e1980af6c0a09f

SHA1
5993f63851c97ca461610b00cdfb44fd0f3abbe0

SHA256
9b130b142648c62464f3c8dcbf2cfff23c8b4059f81c568cf91f0fffe9a3094c

SHA512
958610fa5c5fa2cac43bf60e0a6a78fd910dbaa3a36fa7bca7aa5534b3b53ca91d473c23838e1ebabe3d19aff1c1e172c2f754d5846ca796b01ad8bb5c174074

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
b04a87df2ef15113b7c6072cfedba90f

SHA1
39e6071dd54e7ec47322401fa443844e5fde0032

SHA256
49e384cd6a686f89ba3da51da49cfb71b11cdfaf4e7cc332b0785cdcc50b7dde

SHA512
b2426a8594e10f43cb14421be7d06d80310c0d88cf64be85bdf217f2cd1e51148a2ea1ac6993efb41c4322a904d7f0e5ac093581cbe40b6860c145f987e06fc9

Download Submit
memory/640-41-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/640-2-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/640-0-0x000001D1D6B50000-0x000001D1D6B57000-memory.dmp

Filesize
28KB

Download
memory/3116-53-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3116-49-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3116-48-0x000001EAA8F00000-0x000001EAA8F07000-memory.dmp

Filesize
28KB

Download
memory/3356-28-0x00007FFFEB360000-0x00007FFFEB370000-memory.dmp

Filesize
64KB

Download
memory/3356-16-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-11-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-10-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-9-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-8-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-7-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-6-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-38-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-14-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-15-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-12-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-27-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-29-0x00007FFFEB350000-0x00007FFFEB360000-memory.dmp

Filesize
64KB

Download
memory/3356-18-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-26-0x0000000003520000-0x0000000003527000-memory.dmp

Filesize
28KB

Download
memory/3356-17-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3356-4-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/3356-3-0x00007FFFE941A000-0x00007FFFE941B000-memory.dmp

Filesize
4KB

Download
memory/3356-13-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4912-84-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/5092-69-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/5092-64-0x0000022931380000-0x0000022931387000-memory.dmp

Filesize
28KB

Download
memory/5092-65-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download