dridex | f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b.dll
Size

1.4MB
MD5

16bb8e25d3d2f866cbf6826bb90fd325
SHA1

ce86cea88918e556a9d0d2061c332da8e7513623
SHA256

f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b
SHA512

53321d6e37c9be3be9970ec3a69d84c049e022d071e47a03b922149b453493f531eb4f2afbaee0110d2ba4b87414c653015dd7f85d31fb41848063891b6bee72
SSDEEP

12288:TkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:TkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-4-0x0000000000D70000-0x0000000000D71000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1572-2-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/3432-27-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/3432-38-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/1572-41-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/1644-49-0x0000000140000000-0x0000000140169000-memory.dmp	dridex_payload
behavioral2/memory/1644-53-0x0000000140000000-0x0000000140169000-memory.dmp	dridex_payload
behavioral2/memory/836-69-0x0000000140000000-0x0000000140169000-memory.dmp	dridex_payload
behavioral2/memory/4004-84-0x0000000140000000-0x0000000140169000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1644	perfmon.exe
836	SystemPropertiesRemote.exe
4004	printfilterpipelinesvc.exe

Loads dropped DLL 3 IoCs

pid	Process
1644	perfmon.exe
836	SystemPropertiesRemote.exe
4004	printfilterpipelinesvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2437139445-1151884604-3026847218-1000\\BbDRoaYKf\\SystemPropertiesRemote.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found
Token: SeShutdownPrivilege	3432	Process not Found
Token: SeCreatePagefilePrivilege	3432	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 2424	3432	Process not Found	98
PID 3432 wrote to memory of 2424	3432	Process not Found	98
PID 3432 wrote to memory of 1644	3432	Process not Found	99
PID 3432 wrote to memory of 1644	3432	Process not Found	99
PID 3432 wrote to memory of 1680	3432	Process not Found	100
PID 3432 wrote to memory of 1680	3432	Process not Found	100
PID 3432 wrote to memory of 836	3432	Process not Found	101
PID 3432 wrote to memory of 836	3432	Process not Found	101
PID 3432 wrote to memory of 1708	3432	Process not Found	102
PID 3432 wrote to memory of 1708	3432	Process not Found	102
PID 3432 wrote to memory of 4004	3432	Process not Found	103
PID 3432 wrote to memory of 4004	3432	Process not Found	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2424

C:\Users\Admin\AppData\Local\iPoW7ED4R\perfmon.exe
C:\Users\Admin\AppData\Local\iPoW7ED4R\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1644

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:1680

C:\Users\Admin\AppData\Local\Thy38VXL\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\Thy38VXL\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:836

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:1708

C:\Users\Admin\AppData\Local\0JKap\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\0JKap\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0JKap\XmlLite.dll

Filesize
1.4MB

MD5
06a3530282313317b533888f794a2379

SHA1
fd53d00a39d6874c6d55f8f82fc71d842b56b950

SHA256
f9b0d4dd29cfbed08226548d58bc802c0ff880c6ee7bc201710427d2728014be

SHA512
76c662961d3f0a13005691b018736234007a2e12df4c0fee07add874a0bcdb4406cb2b61df997bb9728999a8d4e55c4c8f4bc201b48329a219a4d4326751f58d

Download Submit
C:\Users\Admin\AppData\Local\0JKap\printfilterpipelinesvc.exe

Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\Thy38VXL\SYSDM.CPL

Filesize
1.4MB

MD5
992786c25cc8ee99584703bb49f023ef

SHA1
ea187bd672bf7c56b72fd03f14d13c8f9cfd42ed

SHA256
08674f213a1e86e8da9b7e6f2faafa41d80de5096f917a1dbe390b45fbedc1b3

SHA512
d7100faf6deb6681653a372aa6b810dc2dc33e8e57c3852d1c48219662120b633ec38dce2b8403e3ce9f97bc0355a9e59c10de96af57082636b1294d475af8d3

Download Submit
C:\Users\Admin\AppData\Local\Thy38VXL\SystemPropertiesRemote.exe

Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Local\iPoW7ED4R\credui.dll

Filesize
1.4MB

MD5
19af7cd37982a4e430e479ba0bf68880

SHA1
330db9a3c5cac1f885182d21731a9b80047171e9

SHA256
97f954bcd8c286c44d2c014ea8bf8d06ca2dc8e291982727438a9d3014100be8

SHA512
449b91316aab762a8e6a4cb97c2d8a85e34fce35ee05b785bed51896b13ac3efc3ba963caa8d8e1a0060f0e7d1aa621bd93bb0dcd0eb454d0c8c1c83d9174367

Download Submit
C:\Users\Admin\AppData\Local\iPoW7ED4R\perfmon.exe

Filesize
177KB

MD5
d38aa59c3bea5456bd6f95c73ad3c964

SHA1
40170eab389a6ba35e949f9c92962646a302d9ef

SHA256
5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

SHA512
59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
d13d6103feafe4e9d37e2685f0222f87

SHA1
94f53da62c1c0d078e64500a3ec2d939af8212db

SHA256
36e2013e04fbced9497e032835be5c17a64ef62d35ecedcdf83195c29912dece

SHA512
07dbc1ce4471c13573d6c607ab6b21eb1206d3253e6908e9e261bbebc93e6af635202a9a4c9d614f094ef9a60b9f3f2696076d7d1dee817594c02786a30498df

Download Submit
memory/836-64-0x00000231C17A0000-0x00000231C17A7000-memory.dmp

Filesize
28KB

Download
memory/836-69-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1572-41-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1572-0-0x0000026512730000-0x0000026512737000-memory.dmp

Filesize
28KB

Download
memory/1572-2-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1644-53-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1644-49-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1644-48-0x0000021F48100000-0x0000021F48107000-memory.dmp

Filesize
28KB

Download
memory/3432-14-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-11-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-6-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-29-0x00007FFE4EDF0000-0x00007FFE4EE00000-memory.dmp

Filesize
64KB

Download
memory/3432-28-0x00007FFE4EE00000-0x00007FFE4EE10000-memory.dmp

Filesize
64KB

Download
memory/3432-27-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-38-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-7-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-18-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-8-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-9-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-10-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-13-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-15-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-16-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-26-0x0000000000C30000-0x0000000000C37000-memory.dmp

Filesize
28KB

Download
memory/3432-17-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-12-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3432-3-0x00007FFE4D05A000-0x00007FFE4D05B000-memory.dmp

Filesize
4KB

Download
memory/3432-4-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/4004-84-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download