dridex | 26fa4f3e2ff9d20e54a8ed92898d8d524f973424a6d7b6d62e489e3d5b9fa66a

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26fa4f3e2ff9d20e54a8ed92898d8d524f973424a6d7b6d62e489e3d5b9fa66a.dll
Size

672KB
MD5

e4b4e6107ac85d6d9981acf940fe05ef
SHA1

c049818fd585fe51844578411859c17c463b9bbc
SHA256

26fa4f3e2ff9d20e54a8ed92898d8d524f973424a6d7b6d62e489e3d5b9fa66a
SHA512

09e324a23666faacf1817e4c4b148944789756bab8521d5d1182a007b0b680382769b09c6b376b1a07ce154a80aa1243271ca4d64b75abf73b7238bce72fd960
SSDEEP

6144:U34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:UIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3428-3-0x00000000079B0000-0x00000000079B1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2588-1-0x00007FFB85A50000-0x00007FFB85AF8000-memory.dmp	dridex_payload
behavioral2/memory/3428-16-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3428-36-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3428-25-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/2588-39-0x00007FFB85A50000-0x00007FFB85AF8000-memory.dmp	dridex_payload
behavioral2/memory/2196-46-0x00007FFB75E50000-0x00007FFB75EF9000-memory.dmp	dridex_payload
behavioral2/memory/2196-51-0x00007FFB75E50000-0x00007FFB75EF9000-memory.dmp	dridex_payload
behavioral2/memory/2288-67-0x00007FFB75E50000-0x00007FFB75EF9000-memory.dmp	dridex_payload
behavioral2/memory/536-82-0x00007FFB75E50000-0x00007FFB75EF9000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2196	AgentService.exe
2288	MDMAppInstaller.exe
536	unregmp2.exe

Loads dropped DLL 3 IoCs

pid	Process
2196	AgentService.exe
2288	MDMAppInstaller.exe
536	unregmp2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\1L6T\\MDMAPP~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MDMAppInstaller.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3428	Process not Found
3428	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3428	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4116	3428	Process not Found	99
PID 3428 wrote to memory of 4116	3428	Process not Found	99
PID 3428 wrote to memory of 2196	3428	Process not Found	100
PID 3428 wrote to memory of 2196	3428	Process not Found	100
PID 3428 wrote to memory of 2100	3428	Process not Found	101
PID 3428 wrote to memory of 2100	3428	Process not Found	101
PID 3428 wrote to memory of 2288	3428	Process not Found	102
PID 3428 wrote to memory of 2288	3428	Process not Found	102
PID 3428 wrote to memory of 1196	3428	Process not Found	103
PID 3428 wrote to memory of 1196	3428	Process not Found	103
PID 3428 wrote to memory of 536	3428	Process not Found	104
PID 3428 wrote to memory of 536	3428	Process not Found	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26fa4f3e2ff9d20e54a8ed92898d8d524f973424a6d7b6d62e489e3d5b9fa66a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2588

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:4116

C:\Users\Admin\AppData\Local\UGkNdUS\AgentService.exe
C:\Users\Admin\AppData\Local\UGkNdUS\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2196

C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
1⤵
PID:2100

C:\Users\Admin\AppData\Local\UuAvj\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\UuAvj\MDMAppInstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2288

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:1196

C:\Users\Admin\AppData\Local\3ZG8d\unregmp2.exe
C:\Users\Admin\AppData\Local\3ZG8d\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3ZG8d\VERSION.dll

Filesize
676KB

MD5
ec8d9d7d2967312e27001dc8a8869b3d

SHA1
d80cea08460066238ba433160f17b3c051f682c2

SHA256
9974e9ef1dd7d7f515f81e2f9374445ef2c783d3d4fa6013f7ba5f7768ebda0d

SHA512
a63a75d349e396ea4e9dd477a8314478cab1d87b48d024a897ff87be0dcbc82d743dd04f3bbe5484c0503093e551736c7397f4ed8dd6f7b53bb8be6350b8d90e

Download Submit
C:\Users\Admin\AppData\Local\3ZG8d\unregmp2.exe

Filesize
259KB

MD5
a6fc8ce566dec7c5873cb9d02d7b874e

SHA1
a30040967f75df85a1e3927bdce159b102011a61

SHA256
21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

SHA512
f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

Download Submit
C:\Users\Admin\AppData\Local\UGkNdUS\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Local\UGkNdUS\VERSION.dll

Filesize
676KB

MD5
f955a8c412fda2df9b08b993e39e2263

SHA1
5187a0413554e83b19c21255ecf21dcc72ff20db

SHA256
b45602abcc0fb292248aa4ed0300b8bd3f43de884e1a56957c7003cdce8bc6c7

SHA512
cab7ac42d9f7611b6592e0002f11a84522dc7300e5e5959fb4388293043650758a84a4ff89f615b8c25c277d7ad3b355dac116a2baf8684d0ab7aac8052aba67

Download Submit
C:\Users\Admin\AppData\Local\UuAvj\MDMAppInstaller.exe

Filesize
151KB

MD5
30e978cc6830b04f1e7ed285cccaa746

SHA1
e915147c17e113c676c635e2102bbff90fb7aa52

SHA256
dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

SHA512
331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

Download Submit
C:\Users\Admin\AppData\Local\UuAvj\WTSAPI32.dll

Filesize
676KB

MD5
230207d38eace339aa9e7bf8a07759a6

SHA1
e9cf2b6d12f82a7d0dc0135e34711f9fc48922ac

SHA256
36dcc47d8b102efe390403667e0ec72f8396d27d47e7237a0b5dfca608bd861c

SHA512
13fd19cbff73ca30777b890778a5260fdbd9e04ada79358a8f0fc86325a477927300d4b79af14454fcf07f3372d1320b6e966274ec196e5e6921d1cd19ea9c3f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
8921facb9516ea802fc1c646785bf1d5

SHA1
74c3f97ea2133d5a80491eede54d6ad6f4d14e9d

SHA256
013f2aeca5bc298a3d6a87804a9474855dd862914da4297a6a20467cb060e1c8

SHA512
6a60bf267f23de2f974fab9aaba7cc96b8c638d00bd147af3ff2a5d81d15ee11d2502beb8c4f2aaed85936c7cf874e5453b330e43e542d343bc791c564c1f1e4

Download Submit
memory/536-82-0x00007FFB75E50000-0x00007FFB75EF9000-memory.dmp

Filesize
676KB

Download
memory/2196-46-0x00007FFB75E50000-0x00007FFB75EF9000-memory.dmp

Filesize
676KB

Download
memory/2196-51-0x00007FFB75E50000-0x00007FFB75EF9000-memory.dmp

Filesize
676KB

Download
memory/2196-48-0x00000245EAE30000-0x00000245EAE37000-memory.dmp

Filesize
28KB

Download
memory/2288-62-0x00000276771B0000-0x00000276771B7000-memory.dmp

Filesize
28KB

Download
memory/2288-67-0x00007FFB75E50000-0x00007FFB75EF9000-memory.dmp

Filesize
676KB

Download
memory/2588-0-0x0000024667940000-0x0000024667947000-memory.dmp

Filesize
28KB

Download
memory/2588-39-0x00007FFB85A50000-0x00007FFB85AF8000-memory.dmp

Filesize
672KB

Download
memory/2588-1-0x00007FFB85A50000-0x00007FFB85AF8000-memory.dmp

Filesize
672KB

Download
memory/3428-27-0x00007FFB94790000-0x00007FFB947A0000-memory.dmp

Filesize
64KB

Download
memory/3428-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-5-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-3-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/3428-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-25-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-26-0x00007FFB947A0000-0x00007FFB947B0000-memory.dmp

Filesize
64KB

Download
memory/3428-36-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3428-24-0x0000000005400000-0x0000000005407000-memory.dmp

Filesize
28KB

Download
memory/3428-23-0x00007FFB931CA000-0x00007FFB931CB000-memory.dmp

Filesize
4KB

Download
memory/3428-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download