dridex | 21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c.dll
Size

724KB
MD5

755eb0def2568d37a1d149b3018bdcce
SHA1

e69c1d12dc3d2aa730aa8a9d94757c73777bd54d
SHA256

21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c
SHA512

2ef40d5038c63489149fde266db0e1d440f45a4e8056353ef7e4a70c8df65917a782ceb139955af8cd814704b29c58e548c47c3e521b872fe8e62301d54301ec
SSDEEP

12288:KO3+ivi0RNOR/5DH2InMtdhtvX2tvJljUWcJxm/Osj3lx7l6X0k97L4HAF3itk:7vdvOZ9H2+Mt7tvX2tvJljT/mi1xJ6tX

Score

10^/10

dridex botnet evasion loader payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Loader 'dmod' strings 10 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

resource	yara_rule
behavioral2/memory/2296-0-0x00007FFC83790000-0x00007FFC83845000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3448-22-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3448-33-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3448-16-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/2296-36-0x00007FFC83790000-0x00007FFC83845000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/996-44-0x00007FFC72E70000-0x00007FFC72F27000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/996-49-0x00007FFC72E70000-0x00007FFC72F27000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/4940-66-0x00007FFC72E70000-0x00007FFC72F26000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/4940-60-0x00007FFC72E70000-0x00007FFC72F26000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/2548-82-0x00007FFC72E70000-0x00007FFC72F26000-memory.dmp	dridex_ldr_dmod

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3448-4-0x0000000002D20000-0x0000000002D21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
996	rdpinit.exe
4940	dxgiadaptercache.exe
2548	MDMAppInstaller.exe

Loads dropped DLL 3 IoCs

pid	Process
996	rdpinit.exe
4940	dxgiadaptercache.exe
2548	MDMAppInstaller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\a2oyB\\dxgiadaptercache.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MDMAppInstaller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	rundll32.exe
2296	rundll32.exe
2296	rundll32.exe
2296	rundll32.exe
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3448	Process not Found
3448	Process not Found
3448	Process not Found

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3448	Process not Found
3448	Process not Found
3448	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 3884	3448	Process not Found	96
PID 3448 wrote to memory of 3884	3448	Process not Found	96
PID 3448 wrote to memory of 996	3448	Process not Found	97
PID 3448 wrote to memory of 996	3448	Process not Found	97
PID 3448 wrote to memory of 4596	3448	Process not Found	98
PID 3448 wrote to memory of 4596	3448	Process not Found	98
PID 3448 wrote to memory of 4940	3448	Process not Found	99
PID 3448 wrote to memory of 4940	3448	Process not Found	99
PID 3448 wrote to memory of 1740	3448	Process not Found	100
PID 3448 wrote to memory of 1740	3448	Process not Found	100
PID 3448 wrote to memory of 2548	3448	Process not Found	101
PID 3448 wrote to memory of 2548	3448	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:3884

C:\Users\Admin\AppData\Local\iU2kcM\rdpinit.exe
C:\Users\Admin\AppData\Local\iU2kcM\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:996

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:4596

C:\Users\Admin\AppData\Local\BbINk9R0p\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\BbINk9R0p\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4940

C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
1⤵
PID:1740

C:\Users\Admin\AppData\Local\dBI9cA\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\dBI9cA\MDMAppInstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BbINk9R0p\dxgi.dll

Filesize
728KB

MD5
4bf11c7bba2579ee06ac4ea97c9ed4b0

SHA1
08299031aadabfced962fbbef48711d4d2212928

SHA256
cce6157d62bf884bab4739cd15c8863ede4023498dc705700f5407f5e7cdaf8c

SHA512
ab9ff1e929bd3ff823176ae69cdfb18ecd85699721f4c373895a0aebf6bb9e5aefa7046f3b7bb5dd949475a493758069cfab72c7d44b3dab2bce343ac4e4f3e1

Download Submit
C:\Users\Admin\AppData\Local\BbINk9R0p\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\dBI9cA\MDMAppInstaller.exe

Filesize
151KB

MD5
30e978cc6830b04f1e7ed285cccaa746

SHA1
e915147c17e113c676c635e2102bbff90fb7aa52

SHA256
dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

SHA512
331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

Download Submit
C:\Users\Admin\AppData\Local\dBI9cA\WTSAPI32.dll

Filesize
728KB

MD5
d2b0ee1b72c646fbf88a50e461ccb884

SHA1
586c56a5daeb444b994f73e802ffb86aa63aff71

SHA256
f9bf39bcd6161806a7522f3c9b04af671868a3f82188559fe3fbbe884558cba7

SHA512
fbe89b3baf2fe6423f7059ccb694d056d66eb0154f24a5c2640c58b4b55cd65aebbf6b03d9c37799174a7d04b4c478f3a6df58c573e2d0774a49cf336e18aa8e

Download Submit
C:\Users\Admin\AppData\Local\iU2kcM\WINSTA.dll

Filesize
732KB

MD5
af6d7d0af1de70d90e98ebdad4603fcc

SHA1
faa0f0ce0e0abea25c2aa9c081e86584d76d2cec

SHA256
af9ca9f7e1c5026ca84503564601121d0ee2075acdcd25bc44d6c93d47215d58

SHA512
534b6dde27e318d7c440acea8bf4cb02d26fc62308429fcbfbd98068b1089a78492f3303c80a71394c9875df83df32149a7eadeaf41aa2e8df8596699806e915

Download Submit
C:\Users\Admin\AppData\Local\iU2kcM\rdpinit.exe

Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk

Filesize
1KB

MD5
6cb9b7339d5bf712cb92a6ab416ff970

SHA1
9fe6957e0a2a5966bd68f63f0803512292e92950

SHA256
118f5b4265c832c1e3802e54ffb2c7b41b149463c3f631525317290e46d98681

SHA512
55b0dd2dcac49987e3dba5f038d77bd1f23b9ab6458528a1f1befa682fe22433e16e206f70274f3838725faa2befbb955a80a644d3bd0bd44377c953bf99fc04

Download Submit
memory/996-49-0x00007FFC72E70000-0x00007FFC72F27000-memory.dmp

Filesize
732KB

Download
memory/996-44-0x00007FFC72E70000-0x00007FFC72F27000-memory.dmp

Filesize
732KB

Download
memory/996-43-0x000002BD99AA0000-0x000002BD99AA7000-memory.dmp

Filesize
28KB

Download
memory/2296-3-0x00000163478D0000-0x00000163478D7000-memory.dmp

Filesize
28KB

Download
memory/2296-36-0x00007FFC83790000-0x00007FFC83845000-memory.dmp

Filesize
724KB

Download
memory/2296-0-0x00007FFC83790000-0x00007FFC83845000-memory.dmp

Filesize
724KB

Download
memory/2548-82-0x00007FFC72E70000-0x00007FFC72F26000-memory.dmp

Filesize
728KB

Download
memory/3448-16-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-15-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-7-0x00007FFC8FBDA000-0x00007FFC8FBDB000-memory.dmp

Filesize
4KB

Download
memory/3448-4-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/3448-8-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-9-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-10-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-11-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-12-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-6-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-33-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-22-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-13-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-14-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3448-26-0x00007FFC90F30000-0x00007FFC90F40000-memory.dmp

Filesize
64KB

Download
memory/3448-25-0x0000000000C00000-0x0000000000C07000-memory.dmp

Filesize
28KB

Download
memory/4940-60-0x00007FFC72E70000-0x00007FFC72F26000-memory.dmp

Filesize
728KB

Download
memory/4940-66-0x00007FFC72E70000-0x00007FFC72F26000-memory.dmp

Filesize
728KB

Download
memory/4940-63-0x0000014489C60000-0x0000014489C67000-memory.dmp

Filesize
28KB

Download