dridex | 12e83b82323d48939373b00da810964eb14b176f112a61437dcc8b83483d789a

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e83b82323d48939373b00da810964eb14b176f112a61437dcc8b83483d789aN.dll
Size

724KB
MD5

16ff194261d802bb962f116de20281f0
SHA1

fe8d67b2362a86ad47bf63abf68ce997cdc42ea0
SHA256

12e83b82323d48939373b00da810964eb14b176f112a61437dcc8b83483d789a
SHA512

9cd53fbce376a94a99ea197bb2d8376e932e2c8a843708205c8c613492657ed1aa731b4bd4d3cdc1e4be8d3229865af7d0bcdeb655e44fd0f53560785be1ecf7
SSDEEP

12288:KO3+ivi0RNOR/5DH2InMtdhtvX2tvJljUWcJxm/Osj3lx7l6X0k97L4HAF3it:7vdvOZ9H2+Mt7tvX2tvJljT/mi1xJ6t6

Score

10^/10

dridex botnet evasion loader payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Loader 'dmod' strings 11 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

resource	yara_rule
behavioral2/memory/1152-1-0x00007FFE3FD00000-0x00007FFE3FDB5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3496-22-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3496-16-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3496-33-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/1152-36-0x00007FFE3FD00000-0x00007FFE3FDB5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/552-49-0x00007FFE30390000-0x00007FFE3048B000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/552-43-0x00007FFE30390000-0x00007FFE3048B000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/2580-62-0x00007FFE30470000-0x00007FFE30526000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/2580-68-0x00007FFE30470000-0x00007FFE30526000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3120-79-0x00007FFE30470000-0x00007FFE3052C000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3120-84-0x00007FFE30470000-0x00007FFE3052C000-memory.dmp	dridex_ldr_dmod

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3496-4-0x0000000003120000-0x0000000003121000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
552	EaseOfAccessDialog.exe
2580	sppsvc.exe
3120	eudcedit.exe

Loads dropped DLL 3 IoCs

pid	Process
552	EaseOfAccessDialog.exe
2580	sppsvc.exe
3120	eudcedit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsrvevdpr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\kNC\\sppsvc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	rundll32.exe
1152	rundll32.exe
1152	rundll32.exe
1152	rundll32.exe
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found
3496	Process not Found

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 1692	3496	Process not Found	96
PID 3496 wrote to memory of 1692	3496	Process not Found	96
PID 3496 wrote to memory of 552	3496	Process not Found	97
PID 3496 wrote to memory of 552	3496	Process not Found	97
PID 3496 wrote to memory of 2580	3496	Process not Found	99
PID 3496 wrote to memory of 2580	3496	Process not Found	99
PID 3496 wrote to memory of 3420	3496	Process not Found	100
PID 3496 wrote to memory of 3420	3496	Process not Found	100
PID 3496 wrote to memory of 3120	3496	Process not Found	101
PID 3496 wrote to memory of 3120	3496	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12e83b82323d48939373b00da810964eb14b176f112a61437dcc8b83483d789aN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:1692

C:\Users\Admin\AppData\Local\Stdn35l\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\Stdn35l\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:552

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2848

C:\Users\Admin\AppData\Local\2oYT6lNQW\sppsvc.exe
C:\Users\Admin\AppData\Local\2oYT6lNQW\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2580

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:3420

C:\Users\Admin\AppData\Local\OkA\eudcedit.exe
C:\Users\Admin\AppData\Local\OkA\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2oYT6lNQW\XmlLite.dll

Filesize
728KB

MD5
da087ad145aa0230411e41d498b1c1e6

SHA1
c3d9a49351f5a86f7369b1f7446842b4c043a8e0

SHA256
f9d13b44d0b1fea35f2475296fd57467f68a2b24f02644429cbd1ad202feb31b

SHA512
ba76785d604b2850ee1b1a2bf627131cbe0b41869519e56621df8dcd9099560766e5c582f5f25d17c5c8f7cb96de46902cdbae5cdd5d5787c6a5ac30250bdde4

Download Submit
C:\Users\Admin\AppData\Local\2oYT6lNQW\sppsvc.exe

Filesize
4.4MB

MD5
ec6cef0a81f167668e18fa32f1606fce

SHA1
6d56837a388ae5573a38a439cee16e6dde5b4de8

SHA256
82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

SHA512
f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

Download Submit
C:\Users\Admin\AppData\Local\OkA\MFC42u.dll

Filesize
752KB

MD5
2a9e596121c84d4dd5ac0ea921a9776f

SHA1
843797e2e6b5250c3d9072c6a0367ee0df74b06e

SHA256
d5f91119b1b92293df4c5bf58d9b6841b87a23d1f689787d7c4fdb84292268ee

SHA512
c760607e1248a58f071510a081bebc71148b71f8cf09bffe88387e4f8c68b222f2689d6f3b66c62ffee6c7678c994fef70cfeded95e7e10bfebc74fdab53938b

Download Submit
C:\Users\Admin\AppData\Local\OkA\eudcedit.exe

Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Local\Stdn35l\DUI70.dll

Filesize
1004KB

MD5
3afe9a7d37a40a5904403642164da0c9

SHA1
812ade6cc6b2765676507df52d7e7e0f29dd5916

SHA256
f75922658dd68b3c81fac93e53f26ba5c5f6a30abeb28c48ee5c2de34dbf3d4e

SHA512
26c42ba1af45d77eabda39e37f7b2da15964f7391c27e3268d674c2905bef44f76e51e66128c7c1d39a0d3b355ec545252da62b17baa60660aabe436690c0928

Download Submit
C:\Users\Admin\AppData\Local\Stdn35l\EaseOfAccessDialog.exe

Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk

Filesize
1KB

MD5
020c560ef7259ab493822093a6776b50

SHA1
50a880c3a937660323c11122e12c4dfb3f4d41fa

SHA256
7ba51ec7dd75d2219335a21e1508cdf6f85f457ebb90d15c8b8a5262ce089569

SHA512
fcfa5c9fb362ab81e99c05b21a63d650ec667e2d8eea58ad05c60d6a2a099e6045c737f3702745aec78695b42733f5ef34fec1e11f7e225df910c0f26dce454d

Download Submit
memory/552-46-0x000001C344B40000-0x000001C344B47000-memory.dmp

Filesize
28KB

Download
memory/552-49-0x00007FFE30390000-0x00007FFE3048B000-memory.dmp

Filesize
1004KB

Download
memory/552-43-0x00007FFE30390000-0x00007FFE3048B000-memory.dmp

Filesize
1004KB

Download
memory/1152-0-0x0000028967ED0000-0x0000028967ED7000-memory.dmp

Filesize
28KB

Download
memory/1152-36-0x00007FFE3FD00000-0x00007FFE3FDB5000-memory.dmp

Filesize
724KB

Download
memory/1152-1-0x00007FFE3FD00000-0x00007FFE3FDB5000-memory.dmp

Filesize
724KB

Download
memory/2580-62-0x00007FFE30470000-0x00007FFE30526000-memory.dmp

Filesize
728KB

Download
memory/2580-65-0x000002267D6F0000-0x000002267D6F7000-memory.dmp

Filesize
28KB

Download
memory/2580-68-0x00007FFE30470000-0x00007FFE30526000-memory.dmp

Filesize
728KB

Download
memory/3120-79-0x00007FFE30470000-0x00007FFE3052C000-memory.dmp

Filesize
752KB

Download
memory/3120-84-0x00007FFE30470000-0x00007FFE3052C000-memory.dmp

Filesize
752KB

Download
memory/3496-23-0x0000000001320000-0x0000000001327000-memory.dmp

Filesize
28KB

Download
memory/3496-33-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-15-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-8-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-9-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-10-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-11-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-12-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-13-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-16-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-24-0x00007FFE4E8B0000-0x00007FFE4E8C0000-memory.dmp

Filesize
64KB

Download
memory/3496-22-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-14-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-7-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3496-5-0x00007FFE4DC8A000-0x00007FFE4DC8B000-memory.dmp

Filesize
4KB

Download
memory/3496-4-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download