dridex | 055334a15a5473829f0ee5d7e2695ddd6be6e87e1eaeab9b2bbdc2571dec8ded

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

055334a15a5473829f0ee5d7e2695ddd6be6e87e1eaeab9b2bbdc2571dec8ded.dll
Size

776KB
MD5

5275646a6840ccb66702495f74f2bcb1
SHA1

7914b808819e702bc2d457de368310d19496e7dc
SHA256

055334a15a5473829f0ee5d7e2695ddd6be6e87e1eaeab9b2bbdc2571dec8ded
SHA512

2ac366a058c1800216e623cce710cc1c42fb942e304365ba9a7eb6b8e6000c7ba2d639210e1f5bf4927243105edf105ee5d3913fe936df68ee0a9270f670c31f
SSDEEP

24576:pWyonFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij:EHuVMK6vx2RsIKNrj

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3444-5-0x0000000002870000-0x0000000002871000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4872	dccw.exe
2912	omadmclient.exe
2868	InfDefaultInstall.exe

Loads dropped DLL 3 IoCs

pid	Process
4872	dccw.exe
2912	omadmclient.exe
2868	InfDefaultInstall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\AlJZhszz\\OMADMC~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InfDefaultInstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3612	rundll32.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3116	3444	Process not Found	84
PID 3444 wrote to memory of 3116	3444	Process not Found	84
PID 3444 wrote to memory of 4872	3444	Process not Found	85
PID 3444 wrote to memory of 4872	3444	Process not Found	85
PID 3444 wrote to memory of 4924	3444	Process not Found	86
PID 3444 wrote to memory of 4924	3444	Process not Found	86
PID 3444 wrote to memory of 2912	3444	Process not Found	87
PID 3444 wrote to memory of 2912	3444	Process not Found	87
PID 3444 wrote to memory of 1444	3444	Process not Found	88
PID 3444 wrote to memory of 1444	3444	Process not Found	88
PID 3444 wrote to memory of 2868	3444	Process not Found	89
PID 3444 wrote to memory of 2868	3444	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\055334a15a5473829f0ee5d7e2695ddd6be6e87e1eaeab9b2bbdc2571dec8ded.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:3116

C:\Users\Admin\AppData\Local\HoFATl0\dccw.exe
C:\Users\Admin\AppData\Local\HoFATl0\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4872

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:4924

C:\Users\Admin\AppData\Local\43mN7z7o5\omadmclient.exe
C:\Users\Admin\AppData\Local\43mN7z7o5\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2912

C:\Windows\system32\InfDefaultInstall.exe
C:\Windows\system32\InfDefaultInstall.exe
1⤵
PID:1444

C:\Users\Admin\AppData\Local\QsbCxcx\InfDefaultInstall.exe
C:\Users\Admin\AppData\Local\QsbCxcx\InfDefaultInstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\43mN7z7o5\XmlLite.dll

Filesize
776KB

MD5
7036d6dd8b6326b7e7e50cc659b57848

SHA1
1f0addea7612d34ebca6bf34b51160b4aa6ae01f

SHA256
6537d178534bbad006e9080fcc2833ae306c9ea38c86ebed63174388d2bd6b91

SHA512
b9ccaf60db629b327ee0594e1648ebfc790fef18075e2991d1d19952259ec2837ac8fd272264b2cbd8f2fd5fd6855a6ddc264110de4347590a75f6d71c410fa8

Download Submit
C:\Users\Admin\AppData\Local\43mN7z7o5\omadmclient.exe

Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Local\HoFATl0\dccw.exe

Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\HoFATl0\mscms.dll

Filesize
784KB

MD5
5e4f1ad3af3ab11a16b7c2e8dc0d5048

SHA1
48f8d11e519dd4f52f743cfd3fa8561aa238e9a4

SHA256
8d034d5030ca8d80f3098cf2d200f26fe97b6484c3947bd01bed685130469775

SHA512
d2ef94045b51fbeb79c46dd4f2e406c0a1de232eb061a4c59d6505b21f79b283249cc5d02efb7e39531643281823a032a77a54a0d1a089e957f443c1807a3c3e

Download Submit
C:\Users\Admin\AppData\Local\QsbCxcx\InfDefaultInstall.exe

Filesize
13KB

MD5
ee18876c1e5de583de7547075975120e

SHA1
f7fcb3d77da74deee25de9296a7c7335916504e3

SHA256
e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

SHA512
08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

Download Submit
C:\Users\Admin\AppData\Local\QsbCxcx\newdev.dll

Filesize
776KB

MD5
4fb332d3cf7fbcae96fd6ae9d001af83

SHA1
b1ad99590168ca90eeae58d0bb934610e7d64467

SHA256
b70b432443619536cdf175418651dd56e81bf2452182451c90e14c5c75e347e5

SHA512
0e4b3a505632f9de8daa9edb694911ee11bf748fd596dde454ff2dbed52d880b8574785b6ec0006718be0766422b1fc375165eb3765fbb399c98973bd300b549

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
e6bd20cb74446c43c8dfe5401576ccfe

SHA1
1fa816711afad1938e388d616959e575843ea002

SHA256
e18bede69453a84f94157f45b67d6f0aeba44c11cae1a2e2fe064b2054c20c12

SHA512
4c18d977ea33a1c00700b919b011dc7288ed0a42030c78a43bcd0a5dc2509e16f8289aa6eb1092e2592df8e7dce72c4322d8747183373e356a85a89e329bf64b

Download Submit
memory/2868-82-0x00007FFCDF000000-0x00007FFCDF0C2000-memory.dmp

Filesize
776KB

Download
memory/2868-77-0x00007FFCDF000000-0x00007FFCDF0C2000-memory.dmp

Filesize
776KB

Download
memory/2912-66-0x00007FFCDEA30000-0x00007FFCDEAF2000-memory.dmp

Filesize
776KB

Download
memory/2912-63-0x0000011A52BC0000-0x0000011A52BC7000-memory.dmp

Filesize
28KB

Download
memory/2912-60-0x00007FFCDEA30000-0x00007FFCDEAF2000-memory.dmp

Filesize
776KB

Download
memory/3444-23-0x00007FFCED640000-0x00007FFCED650000-memory.dmp

Filesize
64KB

Download
memory/3444-14-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-8-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-7-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-34-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-32-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-10-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-5-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3444-4-0x00007FFCEBCDA000-0x00007FFCEBCDB000-memory.dmp

Filesize
4KB

Download
memory/3444-13-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-12-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-9-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-15-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3444-22-0x00000000008E0000-0x00000000008E7000-memory.dmp

Filesize
28KB

Download
memory/3444-21-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3612-0-0x00000253FB320000-0x00000253FB327000-memory.dmp

Filesize
28KB

Download
memory/3612-11-0x00007FFCDE6B0000-0x00007FFCDE772000-memory.dmp

Filesize
776KB

Download
memory/3612-1-0x00007FFCDE6B0000-0x00007FFCDE772000-memory.dmp

Filesize
776KB

Download
memory/4872-49-0x00007FFCDE880000-0x00007FFCDE944000-memory.dmp

Filesize
784KB

Download
memory/4872-43-0x000001C0F0120000-0x000001C0F0127000-memory.dmp

Filesize
28KB

Download
memory/4872-44-0x00007FFCDE880000-0x00007FFCDE944000-memory.dmp

Filesize
784KB

Download