dridex | 5a157047eafbf851e6fe87a68dfb489bf4bac615c2698797b5129fe3a8a6a996

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a157047eafbf851e6fe87a68dfb489bf4bac615c2698797b5129fe3a8a6a996.dll
Size

780KB
MD5

8fa9b4c27bd3e4304a59e5e72d68cd9c
SHA1

c20c63a23dcda13bea5c22fbee61015cc55018d1
SHA256

5a157047eafbf851e6fe87a68dfb489bf4bac615c2698797b5129fe3a8a6a996
SHA512

b0ef9910306ed36e8ab3b9db673b503c7e4ee4fe33fa0bed57619a6cc8496e56200451e1d7ec5d7980db9b810bb8fa15b0296c5d757750322b22b240ff1c7e80
SSDEEP

12288:nbP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQ:nbe42XV7KWgmjDR/T4a/Mdjm

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-4-0x0000000002A50000-0x0000000002A51000-memory.dmp	dridex_stager_shellcode

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\XB7lrU	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\XB7lrU\ReAgent.dll	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\XB7lrU\RecoveryDrive.exe	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
2376	RecoveryDrive.exe
2804	Taskmgr.exe
4136	DisplaySwitch.exe

Loads dropped DLL 3 IoCs

pid	Process
2376	RecoveryDrive.exe
2804	Taskmgr.exe
4136	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\xdz7nj6Tn7\\Taskmgr.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RecoveryDrive.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	rundll32.exe
2536	rundll32.exe
2536	rundll32.exe
2536	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 2720	3432	Process not Found	83
PID 3432 wrote to memory of 2720	3432	Process not Found	83
PID 3432 wrote to memory of 2376	3432	Process not Found	84
PID 3432 wrote to memory of 2376	3432	Process not Found	84
PID 3432 wrote to memory of 3224	3432	Process not Found	85
PID 3432 wrote to memory of 3224	3432	Process not Found	85
PID 3432 wrote to memory of 2804	3432	Process not Found	86
PID 3432 wrote to memory of 2804	3432	Process not Found	86
PID 3432 wrote to memory of 556	3432	Process not Found	87
PID 3432 wrote to memory of 556	3432	Process not Found	87
PID 3432 wrote to memory of 4136	3432	Process not Found	88
PID 3432 wrote to memory of 4136	3432	Process not Found	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a157047eafbf851e6fe87a68dfb489bf4bac615c2698797b5129fe3a8a6a996.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2536

C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
1⤵
PID:2720

C:\Users\Admin\AppData\Local\MUtr3\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\MUtr3\RecoveryDrive.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2376

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:3224

C:\Users\Admin\AppData\Local\ASSPuGph\Taskmgr.exe
C:\Users\Admin\AppData\Local\ASSPuGph\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2804

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:556

C:\Users\Admin\AppData\Local\UxXCMFN\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\UxXCMFN\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ASSPuGph\DUser.dll

Filesize
788KB

MD5
6bc1f2bca6fc9709a6a9d2541c7b6adb

SHA1
edfca1479e53ace769171ba6a791c6d810d701ca

SHA256
d29cbd3215a7a47afd467799df2e6d7c36765821ba10635c071c8a05af2b8b4e

SHA512
568b662c7420fdbd291a3b4d96195cdad9f3bf3dd3b0760a1e52c4d93fd3d7961795bb9fcddb637f47e13ed49a9fe33b120f6b3a4490dbb11e0cc2b9db9d8e8c

Download Submit
C:\Users\Admin\AppData\Local\ASSPuGph\Taskmgr.exe

Filesize
1.2MB

MD5
58d5bc7895f7f32ee308e34f06f25dd5

SHA1
7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4

SHA256
4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478

SHA512
872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

Download Submit
C:\Users\Admin\AppData\Local\MUtr3\ReAgent.dll

Filesize
784KB

MD5
54bf8961cb7f469f418b4f650bfa039f

SHA1
6bc3529a54a7462fc42878e767c291c6602e4631

SHA256
2b7b84d2ba1ab4a87e8427cae6564388b2176690f98ea2d31f777925dfd2bb32

SHA512
f7df6927a79ff45348c131efbccf5d19d71da767fbed87d5cfcf4dd716d472ebd69d08dcc987145c4b879089dfe8ebc3c85fdeadcd3a4fc56b4ed5fe7c6be40d

Download Submit
C:\Users\Admin\AppData\Local\MUtr3\RecoveryDrive.exe

Filesize
911KB

MD5
b9b3dc6f2eb89e41ff27400952602c74

SHA1
24ae07e0db3ace0809d08bbd039db3a9d533e81b

SHA256
630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

SHA512
7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

Download Submit
C:\Users\Admin\AppData\Local\UxXCMFN\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\UxXCMFN\WINSTA.dll

Filesize
788KB

MD5
c7c01ecc274e2655505172b2784021da

SHA1
83c52e1ffbef6b1200be534b1368a67eedd7766e

SHA256
db5bc1e322b03519c6697480275123966f4bc173dee073836fb6957f926e2919

SHA512
ad5fa73db289fa0e7c1669d7738a7e3272e77f073182d0f765b688de89c6acb752bf00552ca7e1d5dd359d123825851131511d09c8b9dc4d536d5ddcd5127def

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
2babb085cd6198aa954975405ad028c7

SHA1
c4bff706a22bff8528a579fe5414c21f1c2915f3

SHA256
9fadda52c4bbb63214496987a48fd5a0b567bcc16db2b63b149fb9bbc7600eb6

SHA512
0597563e875829402fdde0212b90c25f23766f8e4cb5a9fd205b1384decbe82b0380e3e52612ce2d718aaeede3ca91b68484918bf33b3e6f6543ab50d7b6bef0

Download Submit
memory/2376-44-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/2376-50-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/2376-47-0x00000256C96D0000-0x00000256C96D7000-memory.dmp

Filesize
28KB

Download
memory/2536-1-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2536-14-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2536-0-0x000001B468F60000-0x000001B468F67000-memory.dmp

Filesize
28KB

Download
memory/2804-63-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/2804-68-0x0000021562380000-0x0000021562387000-memory.dmp

Filesize
28KB

Download
memory/2804-69-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3432-23-0x00007FFE4EE00000-0x00007FFE4EE10000-memory.dmp

Filesize
64KB

Download
memory/3432-24-0x0000000000C70000-0x0000000000C77000-memory.dmp

Filesize
28KB

Download
memory/3432-8-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-33-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-9-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-10-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-11-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-12-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-15-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-35-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-22-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-13-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-7-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3432-4-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3432-5-0x00007FFE4D05A000-0x00007FFE4D05B000-memory.dmp

Filesize
4KB

Download
memory/4136-86-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/4136-80-0x000001D8F3220000-0x000001D8F3227000-memory.dmp

Filesize
28KB

Download