dridex | b325149f6f6227fc9512a5d5d7f8c552ebd4dd7433306e2eac0c42ef75f6cfd6

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b325149f6f6227fc9512a5d5d7f8c552ebd4dd7433306e2eac0c42ef75f6cfd6.dll
Size

788KB
MD5

3736823fd2de325ff15849e82629cddb
SHA1

9d87dac4828e2899fc0929af37b2b7a5f6431186
SHA256

b325149f6f6227fc9512a5d5d7f8c552ebd4dd7433306e2eac0c42ef75f6cfd6
SHA512

c6b5dec2b177ef5e1236b6867745dfb09dee853ae2fa515aacaf7bdf6c10216a7da3e9e62918e92da1a8509e03674d785a39ebf83c75b912fbc7d9ab23750cbe
SSDEEP

12288:ibP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQW:ibe42XV7KWgmjDR/T4a/MdjmJ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-5-0x00000000029D0000-0x00000000029D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1412	msinfo32.exe
2864	msra.exe
288	BitLockerWizardElev.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
1412	msinfo32.exe
1196	Process not Found
2864	msra.exe
1196	Process not Found
288	BitLockerWizardElev.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\Rnj466\\msra.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2600	1196	Process not Found	31
PID 1196 wrote to memory of 2600	1196	Process not Found	31
PID 1196 wrote to memory of 2600	1196	Process not Found	31
PID 1196 wrote to memory of 1412	1196	Process not Found	32
PID 1196 wrote to memory of 1412	1196	Process not Found	32
PID 1196 wrote to memory of 1412	1196	Process not Found	32
PID 1196 wrote to memory of 2784	1196	Process not Found	33
PID 1196 wrote to memory of 2784	1196	Process not Found	33
PID 1196 wrote to memory of 2784	1196	Process not Found	33
PID 1196 wrote to memory of 2864	1196	Process not Found	34
PID 1196 wrote to memory of 2864	1196	Process not Found	34
PID 1196 wrote to memory of 2864	1196	Process not Found	34
PID 1196 wrote to memory of 892	1196	Process not Found	35
PID 1196 wrote to memory of 892	1196	Process not Found	35
PID 1196 wrote to memory of 892	1196	Process not Found	35
PID 1196 wrote to memory of 288	1196	Process not Found	36
PID 1196 wrote to memory of 288	1196	Process not Found	36
PID 1196 wrote to memory of 288	1196	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b325149f6f6227fc9512a5d5d7f8c552ebd4dd7433306e2eac0c42ef75f6cfd6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2600

C:\Users\Admin\AppData\Local\j7LT\msinfo32.exe
C:\Users\Admin\AppData\Local\j7LT\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1412

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:2784

C:\Users\Admin\AppData\Local\Z2g\msra.exe
C:\Users\Admin\AppData\Local\Z2g\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2864

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:892

C:\Users\Admin\AppData\Local\S2SI\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\S2SI\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\S2SI\FVEWIZ.dll

Filesize
792KB

MD5
e6947189f7f1e9dc31251101dfa46cb1

SHA1
d09f7ac58c834b50881ef2a78e4a41f47441315b

SHA256
cbb3a9079d47cc496018bb218f8749305f30966b125500dbd2bb2c963ba1ff07

SHA512
06a229bc7c06fbf4ea191cd2f321c1150f2869a21d8f1c24123682871ff82065ba6b5c4bdddf7dd7194cc9d740063d65d7f39deea1e4e4d2dccfd6b314c79e23

Download Submit
C:\Users\Admin\AppData\Local\Z2g\NDFAPI.DLL

Filesize
792KB

MD5
02d182e4945199c4bb76a067af9e5a1d

SHA1
9f40222e8161aeb7eda9176adc4b47755a0b2b67

SHA256
85dff69ec2a31aab3c7ca3a6d223a5d88c9e0a79d9cd29db350237b692598e4f

SHA512
66336d5da1fc1a2554ee50e32ccb3176fa605baa39f54864c6c93daf30ace364ecff13686265b92311e56869bf729b71bf252f05607aa74150ca82aa62f5e918

Download Submit
C:\Users\Admin\AppData\Local\j7LT\MFC42u.dll

Filesize
816KB

MD5
122ef3c31cbe5dcfb48167e6b58af887

SHA1
2016aa78769fff07720b6bef6b686a993dbfa4ba

SHA256
6e90d5dcfbedc81feffbf07567b07eefa33ea286a3a766316a8f392b9c7becb5

SHA512
d438f8bc3b1bb298d6e70563964a4a658f3967d568b634b4a2588843b865c66a5998a0f33a2b57ec2feeb3ddcb6c27b4f14d183eaba21fa4441a13f00407c188

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
954B

MD5
84b7ac56c394c19acbd7d44d898d0f8b

SHA1
1c2af04624e4c6f64bd57b753b97a2266d332671

SHA256
64c9df561695695f0cd55219fb4b94df42b1add73c270ef90ed4a502cf777da1

SHA512
53ab215b7d0f58c1df15edd118f837f7afc23adc7fa4b71534d5e692a6f51b71be8f0eda316d446b9482d117ebf4ca57b86d92caf67aea1ba302061553b1e827

Download Submit
\Users\Admin\AppData\Local\S2SI\BitLockerWizardElev.exe

Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\Z2g\msra.exe

Filesize
636KB

MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Local\j7LT\msinfo32.exe

Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
memory/288-94-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1196-12-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-8-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-13-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-15-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-16-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-24-0x0000000002640000-0x0000000002647000-memory.dmp

Filesize
28KB

Download
memory/1196-23-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-14-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-28-0x0000000077430000-0x0000000077432000-memory.dmp

Filesize
8KB

Download
memory/1196-27-0x00000000772D1000-0x00000000772D2000-memory.dmp

Filesize
4KB

Download
memory/1196-35-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-40-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-39-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-106-0x00000000771C6000-0x00000000771C7000-memory.dmp

Filesize
4KB

Download
memory/1196-10-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-4-0x00000000771C6000-0x00000000771C7000-memory.dmp

Filesize
4KB

Download
memory/1196-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1196-9-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1196-7-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1412-59-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1412-58-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/1412-53-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/2804-0-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/2804-11-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/2804-3-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/2864-71-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2864-72-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2864-77-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download