dridex | 113fdc288d8786754c54fa4f379ce7882b08d9c047b64055239aff889360a61a

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113fdc288d8786754c54fa4f379ce7882b08d9c047b64055239aff889360a61aN.dll
Size

716KB
MD5

683224e2ae945630da894687d7bf3070
SHA1

94cd595c69ccccf0ea1c153293de4cf30f6b296d
SHA256

113fdc288d8786754c54fa4f379ce7882b08d9c047b64055239aff889360a61a
SHA512

78e54cb31c1e64346cac76dc4a1bbca0cd73c61339b46411381264dcac29e498789da17eb1cd2018bd1cb336ccaeccae0c1cab46614422f2ab44f072f20e26ab
SSDEEP

12288:ROCRucgLs3bu9FRcOL5yEPAIiCj6ELV32KrXZiQJ8cXFpoT:cCroYbu9FvAEPAIiy6ELV32KlF

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3368-4-0x00000000024A0000-0x00000000024A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/3344-1-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload
behavioral2/memory/3368-23-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload
behavioral2/memory/3368-35-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload
behavioral2/memory/3344-38-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload
behavioral2/memory/2848-46-0x0000000140000000-0x00000001400B4000-memory.dmp	dridex_payload
behavioral2/memory/2848-50-0x0000000140000000-0x00000001400B4000-memory.dmp	dridex_payload
behavioral2/memory/3540-66-0x0000000140000000-0x00000001400B4000-memory.dmp	dridex_payload
behavioral2/memory/2744-81-0x0000000140000000-0x00000001400B4000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2848	isoburn.exe
3540	AtBroker.exe
2744	dccw.exe

Loads dropped DLL 3 IoCs

pid	Process
2848	isoburn.exe
3540	AtBroker.exe
2744	dccw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\rXexXH4J\\AtBroker.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3344	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3384	3368	Process not Found	92
PID 3368 wrote to memory of 3384	3368	Process not Found	92
PID 3368 wrote to memory of 2848	3368	Process not Found	93
PID 3368 wrote to memory of 2848	3368	Process not Found	93
PID 3368 wrote to memory of 1768	3368	Process not Found	98
PID 3368 wrote to memory of 1768	3368	Process not Found	98
PID 3368 wrote to memory of 3540	3368	Process not Found	99
PID 3368 wrote to memory of 3540	3368	Process not Found	99
PID 3368 wrote to memory of 3092	3368	Process not Found	100
PID 3368 wrote to memory of 3092	3368	Process not Found	100
PID 3368 wrote to memory of 2744	3368	Process not Found	101
PID 3368 wrote to memory of 2744	3368	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\113fdc288d8786754c54fa4f379ce7882b08d9c047b64055239aff889360a61aN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:3384

C:\Users\Admin\AppData\Local\ZUztpdJm\isoburn.exe
C:\Users\Admin\AppData\Local\ZUztpdJm\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2848

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:1768

C:\Users\Admin\AppData\Local\ZUEEb7\AtBroker.exe
C:\Users\Admin\AppData\Local\ZUEEb7\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3540

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:3092

C:\Users\Admin\AppData\Local\AAcrjtTl\dccw.exe
C:\Users\Admin\AppData\Local\AAcrjtTl\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AAcrjtTl\dccw.exe

Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\AAcrjtTl\dxva2.dll

Filesize
720KB

MD5
b9e3c9a35bb6b3bb7de0a51eaf152bda

SHA1
13cbe6b3685f69ad817b701ae68debbace9a6f31

SHA256
2daeb4e885cfd709d9fcce8ccd63538c76ee74a2ede71e9c74aaa88cc8c5cc08

SHA512
38ff2902cf2c6361cc7d17e2fbe94b565931b05756ca8390b13ba112a99fb9969eb5619111d7be97d77bdf99f54f2dd4858ac1c0b241a5be45976b00b340c4a4

Download Submit
C:\Users\Admin\AppData\Local\ZUEEb7\AtBroker.exe

Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\ZUEEb7\UxTheme.dll

Filesize
720KB

MD5
55b1f51565b133f00693d711dbb53424

SHA1
cbb12c910b939ed5656d0d700b368a7260c56e46

SHA256
1ac6f408430a710a731324b3eccddd5f69e5e3c693eb085de97183fc677f1c27

SHA512
d33617cf46d96f2d1ca6e0928aeaeecdb77a48ee5087e902b0b3b0b2710106755cdf5d286ad181f19c9ea1e4d8284d751ac787718f19726df23243a9d1089601

Download Submit
C:\Users\Admin\AppData\Local\ZUztpdJm\UxTheme.dll

Filesize
720KB

MD5
0ccbacbf71b18f5cffdd4c47f6db277e

SHA1
79b1ed4c434be50b9afbd933db2450d806bc4384

SHA256
3357fcde0313afb8d791b05c42efc780d581ea722d75e345f333e1ed580707e2

SHA512
6ac3a07d825ab8c93b353071dc218f455b72b8e9fb5df3acfbdb77eda35167ba713c47087af3adc5104a2114b8fe832ef26be9f6789746e2ea5d1727fbc3a687

Download Submit
C:\Users\Admin\AppData\Local\ZUztpdJm\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
bf2bc0becfb1d34dcc01b6f9f9ce95de

SHA1
66cc288c6baaff987c77dc5695d4afdc34bcd0a5

SHA256
1dd04c859cf132b2eb833bb90b57f1b35eaf5ebdb4ddb590131fa76a6119d83a

SHA512
6eab632054ed4e0eb1625309df58e492f2413e870bfc5bcee3106cf91ff4cedf55c880351370e60f2fa30c6ac95741f8a125168ae708a4abb3281e009297ff8a

Download Submit
memory/2744-81-0x0000000140000000-0x00000001400B4000-memory.dmp

Filesize
720KB

Download
memory/2848-50-0x0000000140000000-0x00000001400B4000-memory.dmp

Filesize
720KB

Download
memory/2848-46-0x0000000140000000-0x00000001400B4000-memory.dmp

Filesize
720KB

Download
memory/2848-45-0x0000023CC28F0000-0x0000023CC28F7000-memory.dmp

Filesize
28KB

Download
memory/3344-0-0x000001DF3F160000-0x000001DF3F167000-memory.dmp

Filesize
28KB

Download
memory/3344-38-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3344-1-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-24-0x00007FFB5F280000-0x00007FFB5F290000-memory.dmp

Filesize
64KB

Download
memory/3368-23-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-8-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-7-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-10-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-11-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-12-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-35-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-14-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-9-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-26-0x0000000000610000-0x0000000000617000-memory.dmp

Filesize
28KB

Download
memory/3368-25-0x00007FFB5F270000-0x00007FFB5F280000-memory.dmp

Filesize
64KB

Download
memory/3368-3-0x00007FFB5EF4A000-0x00007FFB5EF4B000-memory.dmp

Filesize
4KB

Download
memory/3368-4-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3368-13-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3368-6-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3540-66-0x0000000140000000-0x00000001400B4000-memory.dmp

Filesize
720KB

Download
memory/3540-63-0x0000023443330000-0x0000023443337000-memory.dmp

Filesize
28KB

Download