dridex | f92f9aac70cf3963e5f5366bf7671931ab030702f727c9b8e5434a458d1bfef6

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f92f9aac70cf3963e5f5366bf7671931ab030702f727c9b8e5434a458d1bfef6.dll
Size

696KB
MD5

79019653d1f2925d3a9df737ee411e1f
SHA1

029424f436526798306f7fe7c45000addcac07b1
SHA256

f92f9aac70cf3963e5f5366bf7671931ab030702f727c9b8e5434a458d1bfef6
SHA512

352ace41da765e9ac595d97bf0484d084f68df3ff5a858a888561837db8d083dcef0460ad962395e1086e2682300f3afdfed2c32d2c81b60679ea87890b84b1d
SSDEEP

6144:p34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTv:pIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3344-3-0x0000000007B50000-0x0000000007B51000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1184-0-0x00007FFCCB560000-0x00007FFCCB60E000-memory.dmp	dridex_payload
behavioral2/memory/3344-18-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3344-25-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3344-36-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/1184-39-0x00007FFCCB560000-0x00007FFCCB60E000-memory.dmp	dridex_payload
behavioral2/memory/916-47-0x00007FFCBC6D0000-0x00007FFCBC77F000-memory.dmp	dridex_payload
behavioral2/memory/916-51-0x00007FFCBC6D0000-0x00007FFCBC77F000-memory.dmp	dridex_payload
behavioral2/memory/2688-62-0x00007FFCBC680000-0x00007FFCBC774000-memory.dmp	dridex_payload
behavioral2/memory/2688-67-0x00007FFCBC680000-0x00007FFCBC774000-memory.dmp	dridex_payload
behavioral2/memory/3628-82-0x00007FFCBC6D0000-0x00007FFCBC77F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
916	dxgiadaptercache.exe
2688	WindowsActionDialog.exe
3628	MusNotificationUx.exe

Loads dropped DLL 3 IoCs

pid	Process
916	dxgiadaptercache.exe
2688	WindowsActionDialog.exe
3628	MusNotificationUx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\O1sctGln\\WindowsActionDialog.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	regsvr32.exe
1184	regsvr32.exe
1184	regsvr32.exe
1184	regsvr32.exe
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3344	Process not Found
Token: SeCreatePagefilePrivilege	3344	Process not Found
Token: SeShutdownPrivilege	3344	Process not Found
Token: SeCreatePagefilePrivilege	3344	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3344	Process not Found
3344	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3344	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 1108	3344	Process not Found	99
PID 3344 wrote to memory of 1108	3344	Process not Found	99
PID 3344 wrote to memory of 916	3344	Process not Found	100
PID 3344 wrote to memory of 916	3344	Process not Found	100
PID 3344 wrote to memory of 3048	3344	Process not Found	101
PID 3344 wrote to memory of 3048	3344	Process not Found	101
PID 3344 wrote to memory of 2688	3344	Process not Found	102
PID 3344 wrote to memory of 2688	3344	Process not Found	102
PID 3344 wrote to memory of 544	3344	Process not Found	103
PID 3344 wrote to memory of 544	3344	Process not Found	103
PID 3344 wrote to memory of 3628	3344	Process not Found	104
PID 3344 wrote to memory of 3628	3344	Process not Found	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f92f9aac70cf3963e5f5366bf7671931ab030702f727c9b8e5434a458d1bfef6.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:1108

C:\Users\Admin\AppData\Local\lNfzu3\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\lNfzu3\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:916

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:3048

C:\Users\Admin\AppData\Local\QYNlrWBMz\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\QYNlrWBMz\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2688

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:544

C:\Users\Admin\AppData\Local\JRR5lgLS\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\JRR5lgLS\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JRR5lgLS\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\JRR5lgLS\XmlLite.dll

Filesize
700KB

MD5
bacfb2e44949f745bac5ca234131424f

SHA1
b81a77f0fde352340a85dc51dfe68f3cd854f5d6

SHA256
0beb8dec66a40ddce2f25e1a9cd76411af3f0ce3092d760e5cc4b412567ddb0d

SHA512
5c04032d61973916158f80056457d9fe65a81496994499623a15c84d9b330d359d52afb98e6d2c1528a2eff4b03dedb3d338b9494cae44f73026c5a6e9621082

Download Submit
C:\Users\Admin\AppData\Local\QYNlrWBMz\DUI70.dll

Filesize
976KB

MD5
3b7ffc0e635bff0150b3b399c6782ef6

SHA1
b8e80da7be2acabbeeaf50c8c0b4d84d761d0783

SHA256
c6ea9f0237cc227f0da4c7e6760bcc0c18ddcfbb8ae96cc55bfae7d26a671258

SHA512
fefb1a9a19df432008eb341950e2a0e72f6c0ffa86b57931064f80cbbfb8dc4e21a89618d063a9bb6e4303da2525ab9afd3daf8d1bd9ca4061de84238a4dc2ee

Download Submit
C:\Users\Admin\AppData\Local\QYNlrWBMz\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\lNfzu3\dxgi.dll

Filesize
700KB

MD5
770582c0489b432a9c6c06ed82181487

SHA1
6f5962a6472d38dea6b3c6da34c3ef66b18ab805

SHA256
f27b09cbd5cde6d66e51a37eb9a551449e2f0c4cd53737ef43fcb0f9c1cb8ec1

SHA512
cb0f7295c4af949ff620d07978c08f9ef7845acb2366da9963d02da0d246332c59ea2df28348bc7ad73d6ee315a90ea2bd66b69f587536e6d2a3a7f9d7e14ff3

Download Submit
C:\Users\Admin\AppData\Local\lNfzu3\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
b636adda177ea89e5f7fc2a51a8799dc

SHA1
90068176f763c4b88d8f5a64a0934b7e74a5990b

SHA256
738cec1dd7a086dc0e2928099554216e6c755965cc6398197d916dc36a09613c

SHA512
1bdded5750ac47493bf092e9ae5b135a80cf0b2a3a9d79eb9022a40322b2156638de0e5f5a4c09a5d752704a5354fb232a8b1f1ce16c67ef6ad187c1d9c00f82

Download Submit
memory/916-46-0x0000017CFBAD0000-0x0000017CFBAD7000-memory.dmp

Filesize
28KB

Download
memory/916-47-0x00007FFCBC6D0000-0x00007FFCBC77F000-memory.dmp

Filesize
700KB

Download
memory/916-51-0x00007FFCBC6D0000-0x00007FFCBC77F000-memory.dmp

Filesize
700KB

Download
memory/1184-0-0x00007FFCCB560000-0x00007FFCCB60E000-memory.dmp

Filesize
696KB

Download
memory/1184-39-0x00007FFCCB560000-0x00007FFCCB60E000-memory.dmp

Filesize
696KB

Download
memory/1184-2-0x0000000001550000-0x0000000001557000-memory.dmp

Filesize
28KB

Download
memory/2688-64-0x0000023E1B370000-0x0000023E1B377000-memory.dmp

Filesize
28KB

Download
memory/2688-62-0x00007FFCBC680000-0x00007FFCBC774000-memory.dmp

Filesize
976KB

Download
memory/2688-67-0x00007FFCBC680000-0x00007FFCBC774000-memory.dmp

Filesize
976KB

Download
memory/3344-25-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-12-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-5-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-3-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/3344-36-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-8-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-9-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-10-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-13-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-15-0x00007FFCD9A5A000-0x00007FFCD9A5B000-memory.dmp

Filesize
4KB

Download
memory/3344-26-0x00007FFCDA200000-0x00007FFCDA210000-memory.dmp

Filesize
64KB

Download
memory/3344-27-0x00007FFCDA1F0000-0x00007FFCDA200000-memory.dmp

Filesize
64KB

Download
memory/3344-16-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-18-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-24-0x0000000007B30000-0x0000000007B37000-memory.dmp

Filesize
28KB

Download
memory/3344-14-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3344-11-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3628-82-0x00007FFCBC6D0000-0x00007FFCBC77F000-memory.dmp

Filesize
700KB

Download