dridex | d8e2f42b160e555fde80597cbf093a4f89bb25a7b36ec08fd6739141107664df

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8e2f42b160e555fde80597cbf093a4f89bb25a7b36ec08fd6739141107664df.dll
Size

768KB
MD5

778f2d03f6cc98beaa08661134555c8d
SHA1

0ffa709507e15bd9d1359a227e750c7f53651754
SHA256

d8e2f42b160e555fde80597cbf093a4f89bb25a7b36ec08fd6739141107664df
SHA512

c664eec09008a98da234009e49465777b0112ef7d41fcf40aa88d7aa04fe49d067bc0f1d27e5d75d05c07dabbeab4e7a288d97f7b40684a1867d2854aea90e2b
SSDEEP

12288:66BBWGJW6eC85Df97+yXUj7SncCxj8iHGo59S1WQSCtEdFO7YKJf6t:66BQBjlc728jo7S1bl6FbKG

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3144-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4092	DeviceEnroller.exe
1788	Dxpserver.exe
3568	dccw.exe

Loads dropped DLL 3 IoCs

pid	Process
4092	DeviceEnroller.exe
1788	Dxpserver.exe
3568	dccw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qhmytabp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\WORDDO~1\\HGNNIP~1\\DXPSER~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	rundll32.exe
2816	rundll32.exe
2816	rundll32.exe
2816	rundll32.exe
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 4572	3144	Process not Found	93
PID 3144 wrote to memory of 4572	3144	Process not Found	93
PID 3144 wrote to memory of 4092	3144	Process not Found	94
PID 3144 wrote to memory of 4092	3144	Process not Found	94
PID 3144 wrote to memory of 3428	3144	Process not Found	99
PID 3144 wrote to memory of 3428	3144	Process not Found	99
PID 3144 wrote to memory of 1788	3144	Process not Found	100
PID 3144 wrote to memory of 1788	3144	Process not Found	100
PID 3144 wrote to memory of 1320	3144	Process not Found	101
PID 3144 wrote to memory of 1320	3144	Process not Found	101
PID 3144 wrote to memory of 3568	3144	Process not Found	102
PID 3144 wrote to memory of 3568	3144	Process not Found	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8e2f42b160e555fde80597cbf093a4f89bb25a7b36ec08fd6739141107664df.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:4572

C:\Users\Admin\AppData\Local\ayGd\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\ayGd\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4092

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:3428

C:\Users\Admin\AppData\Local\KhEzLT3\Dxpserver.exe
C:\Users\Admin\AppData\Local\KhEzLT3\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1788

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:1320

C:\Users\Admin\AppData\Local\aijz\dccw.exe
C:\Users\Admin\AppData\Local\aijz\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KhEzLT3\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\KhEzLT3\XmlLite.dll

Filesize
772KB

MD5
5e7504e70f71064116c21f6971b87080

SHA1
69296798ed1ae7a7f69357a9bbeb718e6f68ffd5

SHA256
7cb8435dbcc1efe907e4296afb5d814b1236476c5b1d8be81364ccc176431bb4

SHA512
4deb1e0447441d6d4d4b2b71fef950bc57728ce536bd3ce4420b9b9bfebc8ea9275e7c1c93da7e206e6243443c0d665497a230d9011ffb1de622c32ccb70eeef

Download Submit
C:\Users\Admin\AppData\Local\aijz\dccw.exe

Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\aijz\dxva2.dll

Filesize
772KB

MD5
16dace7e73d9f5a190b009968ba4d268

SHA1
a2885291ff66872de555af45f280feb4f0fafc6d

SHA256
03a30785ae7eb5ab78d9665b432b61359bf2f8707f012a8c749f117732eb5850

SHA512
15f445fe8793c1f4da19f830baf08acb5d75d59a52b7c3a4fec6202e0d7373d41984206914980a83361d3191307b6e76ccf0a88a60002e2f4de8c94423c119c4

Download Submit
C:\Users\Admin\AppData\Local\ayGd\DeviceEnroller.exe

Filesize
448KB

MD5
946d9474533f58d2613078fd14ca7473

SHA1
c2620ac9522fa3702a6a03299b930d6044aa5e49

SHA256
cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

SHA512
3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

Download Submit
C:\Users\Admin\AppData\Local\ayGd\XmlLite.dll

Filesize
772KB

MD5
6dcb70245932a0a96fe5854e35aec909

SHA1
0ce16a0cce57754dcdeb282013c29724137c6e2c

SHA256
1ed04e068027b251a87bb6ec1c9143e5430a933594f291f33ba717685f214177

SHA512
58ddb475b68da4c18ed91a6d763f09a62d235b5f5130d04c1aef337b0c4a721827a1da5b0474bf4cdaaf00134ff2cec4c115f32a63cf60bd5f4ef4e500c082e6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk

Filesize
1KB

MD5
1b9fbf6b0833a245d1d3db7d4af02e36

SHA1
557abfa362d4a97a35dd5f80f7429b6451a1d860

SHA256
1ccbb87da1621a66c624a0e71c55c0bb526e41c411bcfc2a6720a86e28565457

SHA512
ed100c69d1df538fc305547455651452064409291f6d07606d2c90c92e101921d048137054a9a9de65698b22586867b942c2f056d7a69daf833c100f4e2ac8e7

Download Submit
memory/1788-79-0x000001E777030000-0x000001E777037000-memory.dmp

Filesize
28KB

Download
memory/1788-78-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/1788-83-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/2816-0-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2816-1-0x0000018D4F540000-0x0000018D4F547000-memory.dmp

Filesize
28KB

Download
memory/2816-2-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2816-49-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-13-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-23-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-21-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-19-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-18-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-17-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-15-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-14-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-22-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-12-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-11-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-9-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-34-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-10-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-8-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-20-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-24-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-26-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-7-0x00007FFA3046A000-0x00007FFA3046B000-memory.dmp

Filesize
4KB

Download
memory/3144-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/3144-16-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-25-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-43-0x0000000001E70000-0x0000000001E77000-memory.dmp

Filesize
28KB

Download
memory/3144-44-0x00007FFA32270000-0x00007FFA32280000-memory.dmp

Filesize
64KB

Download
memory/3144-45-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3144-27-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3568-97-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/3568-101-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/4092-64-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/4092-56-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/4092-59-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/4092-60-0x000001580E340000-0x000001580E347000-memory.dmp

Filesize
28KB

Download