dridex | b6f78736575bea5b38983159e95a2f629265f4cd083f5773fc418b4c88ce0f41

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f78736575bea5b38983159e95a2f629265f4cd083f5773fc418b4c88ce0f41N.dll
Size

1.5MB
MD5

c026fef0b6c83c6a08c9087fc4fb41c0
SHA1

d029a15df448443c79f3880f07bad27cd0e514d7
SHA256

b6f78736575bea5b38983159e95a2f629265f4cd083f5773fc418b4c88ce0f41
SHA512

f5fb293ef024d11d6cae0142e199c134ce3ddd03bab007f41d07ca896ff7dd38cc86556174f1da5f6affeedd1e09d245680e294f7629c5b73fe9d9de7fa12a6d
SSDEEP

12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002E60000-0x0000000002E61000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2780	xpsrchvw.exe
1352	WFS.exe
1744	msdt.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
2780	xpsrchvw.exe
1196	Process not Found
1352	WFS.exe
1196	Process not Found
1744	msdt.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\qB3ln1\\WFS.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	rundll32.exe
2204	rundll32.exe
2204	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2916	1196	Process not Found	31
PID 1196 wrote to memory of 2916	1196	Process not Found	31
PID 1196 wrote to memory of 2916	1196	Process not Found	31
PID 1196 wrote to memory of 2780	1196	Process not Found	32
PID 1196 wrote to memory of 2780	1196	Process not Found	32
PID 1196 wrote to memory of 2780	1196	Process not Found	32
PID 1196 wrote to memory of 3048	1196	Process not Found	33
PID 1196 wrote to memory of 3048	1196	Process not Found	33
PID 1196 wrote to memory of 3048	1196	Process not Found	33
PID 1196 wrote to memory of 1352	1196	Process not Found	34
PID 1196 wrote to memory of 1352	1196	Process not Found	34
PID 1196 wrote to memory of 1352	1196	Process not Found	34
PID 1196 wrote to memory of 2024	1196	Process not Found	35
PID 1196 wrote to memory of 2024	1196	Process not Found	35
PID 1196 wrote to memory of 2024	1196	Process not Found	35
PID 1196 wrote to memory of 1744	1196	Process not Found	36
PID 1196 wrote to memory of 1744	1196	Process not Found	36
PID 1196 wrote to memory of 1744	1196	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b6f78736575bea5b38983159e95a2f629265f4cd083f5773fc418b4c88ce0f41N.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2916

C:\Users\Admin\AppData\Local\W8nTkEt\xpsrchvw.exe
C:\Users\Admin\AppData\Local\W8nTkEt\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2780

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:3048

C:\Users\Admin\AppData\Local\0odQ\WFS.exe
C:\Users\Admin\AppData\Local\0odQ\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1352

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:2024

C:\Users\Admin\AppData\Local\zya\msdt.exe
C:\Users\Admin\AppData\Local\zya\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0odQ\WFS.exe

Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\0odQ\credui.dll

Filesize
1.5MB

MD5
d4f02919e6acc6de57f65e3f438d4b06

SHA1
72c3a126f6b411b00fba07d47245ce909a74b4f8

SHA256
1d17d7e6662e83117133bec3f4037f474019f86de2c51b7696dcd63bd27a5b2b

SHA512
f7932cf01564d9bbaeced30c0c0000e70add82bb40f93a0058518ca9c7b0c2206ac5f2c6fdc90d5f44bf82fe349096fc2c5d7681d8ad9888bb79288547f175a9

Download Submit
C:\Users\Admin\AppData\Local\W8nTkEt\WINMM.dll

Filesize
1.5MB

MD5
d91aa0f46f1b07d9ef3c63eb0b149fb0

SHA1
208f210a2aaff5ea9094be08d5c6c03e2b860c22

SHA256
83eda3bcdbdc48bed5ea40dcc10d9892dd8fef62d62b8e8a9c848264cd0ac7a2

SHA512
32c88ffa777ba578e2e732c6478c54e3e2993ff305af5b22575b93ac00e374a7f09c0af9f30997336acd7a99432e0f8c765e8677413a4cffe4f384ec8ae270da

Download Submit
C:\Users\Admin\AppData\Local\zya\DUI70.dll

Filesize
1.7MB

MD5
66468614b01c05cf649c86c71f14f8b3

SHA1
c874a50aac9578e8d54a65a86fbb2909e9a0b64a

SHA256
f60ad2c8c5bda59a3a699400d7fa30fa0840cc5f9dcb97cc2b16f4bb12d0d837

SHA512
394d8ff93300deefcc778889d07894266e1937b2dc2a4073587d26e8c3e19ed9b191b0310bffc0bf74165270fb3078ae112b51f0ee09f29aae473bef268e0968

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1KB

MD5
62ad1d009b0a07f59dbf8e3f7ad89747

SHA1
f59b63b9e087bce59478702ce95f8d825b01f51f

SHA256
809d2467ae7da8e4600aec332f9608627fa8f8ee715cd623483904e3d0cb0ec7

SHA512
2308e614ce215363e199f30f065f3ba91ed07573c768231a4bffb6676122479cea8460e97f263bd1e38aaab71b30fee7cd708ea68838b7d97a5d90fa5badbce8

Download Submit
\Users\Admin\AppData\Local\W8nTkEt\xpsrchvw.exe

Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Local\zya\msdt.exe

Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
memory/1196-24-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-19-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-55-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-48-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-46-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-45-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-44-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-43-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-42-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-40-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-38-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-37-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-36-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-35-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-34-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-33-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-32-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-30-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-29-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-28-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-27-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-26-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-25-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-4-0x0000000076BF6000-0x0000000076BF7000-memory.dmp

Filesize
4KB

Download
memory/1196-23-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-22-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-20-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-64-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-18-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-17-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-15-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-41-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-39-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-14-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-31-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-13-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-12-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-11-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-21-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-10-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-8-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-7-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-70-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-58-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-59-0x0000000002E40000-0x0000000002E47000-memory.dmp

Filesize
28KB

Download
memory/1196-5-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/1196-115-0x0000000076BF6000-0x0000000076BF7000-memory.dmp

Filesize
4KB

Download
memory/1196-16-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-47-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/1196-60-0x0000000076D01000-0x0000000076D02000-memory.dmp

Filesize
4KB

Download
memory/1196-61-0x0000000076E60000-0x0000000076E62000-memory.dmp

Filesize
8KB

Download
memory/1352-97-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2204-9-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/2204-0-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2204-1-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/2780-79-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download