dridex | 60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b.dll
Size

676KB
MD5

4d50c132ca23b8e8fa6f50c8e7db7e3b
SHA1

fc0fe7b8a046e550ed228581c381d5244a62c74c
SHA256

60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b
SHA512

317ca386657544fb79e3a0529278ea096abcb30ad0aef492a4e9a97b87502154095fccde07882c0a98ea2a278860c765a3ea6283cf195085405e1d8048101614
SSDEEP

6144:C34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:CIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3464-3-0x0000000007860000-0x0000000007861000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3280-0-0x00007FFDAE930000-0x00007FFDAE9D9000-memory.dmp	dridex_payload
behavioral2/memory/3464-26-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral2/memory/3464-37-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral2/memory/3464-19-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral2/memory/3280-40-0x00007FFDAE930000-0x00007FFDAE9D9000-memory.dmp	dridex_payload
behavioral2/memory/2852-47-0x00007FFD9E750000-0x00007FFD9E7FA000-memory.dmp	dridex_payload
behavioral2/memory/2852-52-0x00007FFD9E750000-0x00007FFD9E7FA000-memory.dmp	dridex_payload
behavioral2/memory/1900-64-0x00007FFD9E750000-0x00007FFD9E7FB000-memory.dmp	dridex_payload
behavioral2/memory/1900-68-0x00007FFD9E750000-0x00007FFD9E7FB000-memory.dmp	dridex_payload
behavioral2/memory/3644-79-0x00007FFD9E640000-0x00007FFD9E6EA000-memory.dmp	dridex_payload
behavioral2/memory/3644-83-0x00007FFD9E640000-0x00007FFD9E6EA000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

AgentService.exetcmsetup.exeMusNotifyIcon.exe

pid	Process
2852	AgentService.exe
1900	tcmsetup.exe
3644	MusNotifyIcon.exe

Loads dropped DLL 3 IoCs

Processes:

AgentService.exetcmsetup.exeMusNotifyIcon.exe

pid	Process
2852	AgentService.exe
1900	tcmsetup.exe
3644	MusNotifyIcon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\o8oDamUCGm0\\tcmsetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

tcmsetup.exeMusNotifyIcon.exerundll32.exeAgentService.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe

Modifies registry class 1 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3464
3464

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3464

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3464 wrote to memory of 2860	3464	100
PID 3464 wrote to memory of 2860	3464	100
PID 3464 wrote to memory of 2852	3464	101
PID 3464 wrote to memory of 2852	3464	101
PID 3464 wrote to memory of 5032	3464	102
PID 3464 wrote to memory of 5032	3464	102
PID 3464 wrote to memory of 1900	3464	103
PID 3464 wrote to memory of 1900	3464	103
PID 3464 wrote to memory of 2848	3464	104
PID 3464 wrote to memory of 2848	3464	104
PID 3464 wrote to memory of 3644	3464	105
PID 3464 wrote to memory of 3644	3464	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3280

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:2860

C:\Users\Admin\AppData\Local\JzfL090g\AgentService.exe
C:\Users\Admin\AppData\Local\JzfL090g\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2852

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:5032

C:\Users\Admin\AppData\Local\IrP6AM\tcmsetup.exe
C:\Users\Admin\AppData\Local\IrP6AM\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:2848

C:\Users\Admin\AppData\Local\HjUmXHW43\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\HjUmXHW43\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HjUmXHW43\MusNotifyIcon.exe

Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\HjUmXHW43\XmlLite.dll

Filesize
680KB

MD5
642200063aa36bdadcf159ce647ddad0

SHA1
8cb3968e401132ba4a7f14ba526a38863c0406a7

SHA256
938c5df2734a54838acf0a090354711ff9e29e960bf996b0957b436d47786a47

SHA512
4236022372cd409907a30dfdf125cacd65f4016d6ecd717c8fb76a0459230d9058b36721daa7d5ec470842f4ed13ac025e43ef54706b67dffe0cff23bd010224

Download Submit
C:\Users\Admin\AppData\Local\IrP6AM\TAPI32.dll

Filesize
684KB

MD5
ce6a29031b1ce0db0f74be52178c46ad

SHA1
fc81246f8f055ff2b05681ef0a474d5e6e5b3a7d

SHA256
8c554a41dfdf2e00b82029dbe4b63ff9ff865c137924e50d9490a3303c65fe9d

SHA512
bdb0470882f260377496c83d593b64032be5c75ab03a9e12473359da4365a045668968b4ddd4b64da3e6bb7e6be10af1445bc40f83ea71afdefb6af735ba5f21

Download Submit
C:\Users\Admin\AppData\Local\IrP6AM\tcmsetup.exe

Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Users\Admin\AppData\Local\JzfL090g\ACTIVEDS.dll

Filesize
680KB

MD5
d47170415ba61e6061d3b0382a065e93

SHA1
19921f217812317eaf0ce72dc6e3f6b4e4c72968

SHA256
9ff89f27fdc8f6fe23cc7a797d4232158026c21a8e2350f56aabd0a7f0da47b0

SHA512
41798b3afd82c314a242424c884e81a38c323bd1ed301c39fe43e1b7a94d997bbb30c13fe73423fba2fe10e3371a07bea7661eaa8cbfd571cd7aa8e3551d265b

Download Submit
C:\Users\Admin\AppData\Local\JzfL090g\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

Filesize
1KB

MD5
1a336cd66d27820c71ec549c829326a4

SHA1
ceef83356c953e10749ba10c3c4eac45565f0cd9

SHA256
8803d1088a6cae1ef0fe88493aafb4b6ee62bc28efcc580452253e693d1764a1

SHA512
9cb4189640d825b50afccae27b9df3fde395c182528e732a7c23ff30cafd4c6ef6d32428b3015750b6a0cf8616adb392c2edaa157bcf1bd5c38622d535e503b0

Download Submit
memory/1900-68-0x00007FFD9E750000-0x00007FFD9E7FB000-memory.dmp

Filesize
684KB

Download
memory/1900-64-0x00007FFD9E750000-0x00007FFD9E7FB000-memory.dmp

Filesize
684KB

Download
memory/1900-63-0x0000027C86E70000-0x0000027C86E77000-memory.dmp

Filesize
28KB

Download
memory/2852-47-0x00007FFD9E750000-0x00007FFD9E7FA000-memory.dmp

Filesize
680KB

Download
memory/2852-52-0x00007FFD9E750000-0x00007FFD9E7FA000-memory.dmp

Filesize
680KB

Download
memory/2852-49-0x000001E0B74A0000-0x000001E0B74A7000-memory.dmp

Filesize
28KB

Download
memory/3280-2-0x0000027982DC0000-0x0000027982DC7000-memory.dmp

Filesize
28KB

Download
memory/3280-40-0x00007FFDAE930000-0x00007FFDAE9D9000-memory.dmp

Filesize
676KB

Download
memory/3280-0-0x00007FFDAE930000-0x00007FFDAE9D9000-memory.dmp

Filesize
676KB

Download
memory/3464-37-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-14-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-7-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-6-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-19-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-3-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/3464-9-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-10-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-11-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-12-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-13-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-8-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-28-0x00007FFDBCE30000-0x00007FFDBCE40000-memory.dmp

Filesize
64KB

Download
memory/3464-27-0x00007FFDBCE40000-0x00007FFDBCE50000-memory.dmp

Filesize
64KB

Download
memory/3464-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-16-0x00007FFDBC29A000-0x00007FFDBC29B000-memory.dmp

Filesize
4KB

Download
memory/3464-18-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-17-0x0000000007840000-0x0000000007847000-memory.dmp

Filesize
28KB

Download
memory/3464-5-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3644-83-0x00007FFD9E640000-0x00007FFD9E6EA000-memory.dmp

Filesize
680KB

Download
memory/3644-79-0x00007FFD9E640000-0x00007FFD9E6EA000-memory.dmp

Filesize
680KB

Download