dridex | 21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c.dll
Size

724KB
MD5

755eb0def2568d37a1d149b3018bdcce
SHA1

e69c1d12dc3d2aa730aa8a9d94757c73777bd54d
SHA256

21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c
SHA512

2ef40d5038c63489149fde266db0e1d440f45a4e8056353ef7e4a70c8df65917a782ceb139955af8cd814704b29c58e548c47c3e521b872fe8e62301d54301ec
SSDEEP

12288:KO3+ivi0RNOR/5DH2InMtdhtvX2tvJljUWcJxm/Osj3lx7l6X0k97L4HAF3itk:7vdvOZ9H2+Mt7tvX2tvJljT/mi1xJ6tX

Score

10^/10

dridex botnet evasion loader payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Loader 'dmod' strings 10 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

resource	yara_rule
behavioral2/memory/2672-0-0x00007FFA0F2F0000-0x00007FFA0F3A5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3432-16-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3432-33-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3432-22-0x0000000140000000-0x00000001400B5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/2672-36-0x00007FFA0F2F0000-0x00007FFA0F3A5000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/5108-44-0x00007FFA03970000-0x00007FFA03A26000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/5108-49-0x00007FFA03970000-0x00007FFA03A26000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3120-66-0x00007FFA03970000-0x00007FFA03A26000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/752-77-0x00007FFA03930000-0x00007FFA03A2B000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/752-82-0x00007FFA03930000-0x00007FFA03A2B000-memory.dmp	dridex_ldr_dmod

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-4-0x0000000002510000-0x0000000002511000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
5108	omadmclient.exe
3120	BdeUISrv.exe
752	CameraSettingsUIHost.exe

Loads dropped DLL 3 IoCs

pid	Process
5108	omadmclient.exe
3120	BdeUISrv.exe
752	CameraSettingsUIHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\TSWCOV~1\\BdeUISrv.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1236	3432	Process not Found	96
PID 3432 wrote to memory of 1236	3432	Process not Found	96
PID 3432 wrote to memory of 5108	3432	Process not Found	97
PID 3432 wrote to memory of 5108	3432	Process not Found	97
PID 3432 wrote to memory of 1568	3432	Process not Found	98
PID 3432 wrote to memory of 1568	3432	Process not Found	98
PID 3432 wrote to memory of 3120	3432	Process not Found	99
PID 3432 wrote to memory of 3120	3432	Process not Found	99
PID 3432 wrote to memory of 3212	3432	Process not Found	100
PID 3432 wrote to memory of 3212	3432	Process not Found	100
PID 3432 wrote to memory of 752	3432	Process not Found	101
PID 3432 wrote to memory of 752	3432	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:1236

C:\Users\Admin\AppData\Local\noGb77M\omadmclient.exe
C:\Users\Admin\AppData\Local\noGb77M\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5108

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\YWU\BdeUISrv.exe
C:\Users\Admin\AppData\Local\YWU\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3120

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:3212

C:\Users\Admin\AppData\Local\akPgsLK6b\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\akPgsLK6b\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\YWU\BdeUISrv.exe

Filesize
54KB

MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\YWU\WTSAPI32.dll

Filesize
728KB

MD5
068a77ab7ad4aa3a2369f3bd4691ef86

SHA1
f53665584c12cdb45279d615c5a6b249588f2283

SHA256
6d2524596ca3634b35b1de7218c6baf9c342736d01f7b4a4b28536f8e4d319e7

SHA512
0b04ab0755b665ebe512f45c5c46ed27b84550e3165cdb3488b7835016a2035bb2981390cb4d1d4a5572fb8239b7832f62af69f19c704f149694127f25c4633e

Download Submit
C:\Users\Admin\AppData\Local\akPgsLK6b\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\akPgsLK6b\DUI70.dll

Filesize
1004KB

MD5
8bab4efdc83f5b2ee1234cec8cd89675

SHA1
c2fef93947bfd776dcc3d801a6e454d668be4b58

SHA256
07d2fdd8c2ecc52e3242356e1b7f44728f5554a4255d97c8716e300e34976cdc

SHA512
c5d99ee2462d016d8d1481740592f564734f9977a59383a4ef908e3f6099438f9a8474e3adc05ee4ce2bab271390c4020a51ac73a879ebe30701b737ceed3435

Download Submit
C:\Users\Admin\AppData\Local\noGb77M\XmlLite.dll

Filesize
728KB

MD5
f9d526eb988abfbc2b0f732fb23d1fa8

SHA1
c55dffebcd0c1d9c7d57522cce4ccba2d80f36cd

SHA256
9b0da1fb469bde54c4de52a5d6c730fbbe14cc4a149deee51102b22cc98ab4b1

SHA512
5bad224f7e2fdcff7806aa00418bd53f8ea7c029fef0be8616becaaa73b0fac445e73bfb531cae208f923866f7359cd70228b96525e64f35e0e6c1b7b9855c80

Download Submit
C:\Users\Admin\AppData\Local\noGb77M\omadmclient.exe

Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
06f015f8cfc9e057dcc3534b1f983495

SHA1
a05865141d78ef745c3dc29ead162dde5a6886ca

SHA256
57b5bda9e6e5da47e58221dfcda29604ed82885cc0fe6dab9174ef0b8c77c71c

SHA512
3ed8dc45b99acb0a9eefddb7ef28e4286ea05607e3f5ace0920abfbb0183bd0ab6ab4cda22c2e9888146164237f66a61c605a006ebe0cb5983b87cc6293ce094

Download Submit
memory/752-82-0x00007FFA03930000-0x00007FFA03A2B000-memory.dmp

Filesize
1004KB

Download
memory/752-77-0x00007FFA03930000-0x00007FFA03A2B000-memory.dmp

Filesize
1004KB

Download
memory/2672-0-0x00007FFA0F2F0000-0x00007FFA0F3A5000-memory.dmp

Filesize
724KB

Download
memory/2672-36-0x00007FFA0F2F0000-0x00007FFA0F3A5000-memory.dmp

Filesize
724KB

Download
memory/2672-3-0x000002EA8CC80000-0x000002EA8CC87000-memory.dmp

Filesize
28KB

Download
memory/3120-63-0x0000023B75730000-0x0000023B75737000-memory.dmp

Filesize
28KB

Download
memory/3120-66-0x00007FFA03970000-0x00007FFA03A26000-memory.dmp

Filesize
728KB

Download
memory/3432-23-0x0000000000AA0000-0x0000000000AA7000-memory.dmp

Filesize
28KB

Download
memory/3432-24-0x00007FFA21FB0000-0x00007FFA21FC0000-memory.dmp

Filesize
64KB

Download
memory/3432-8-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-15-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-10-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-11-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-22-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-4-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3432-5-0x00007FFA2109A000-0x00007FFA2109B000-memory.dmp

Filesize
4KB

Download
memory/3432-7-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-33-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-12-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-13-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-9-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-16-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/3432-14-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/5108-49-0x00007FFA03970000-0x00007FFA03A26000-memory.dmp

Filesize
728KB

Download
memory/5108-44-0x00007FFA03970000-0x00007FFA03A26000-memory.dmp

Filesize
728KB

Download
memory/5108-43-0x0000015191960000-0x0000015191967000-memory.dmp

Filesize
28KB

Download