dridex | b325149f6f6227fc9512a5d5d7f8c552ebd4dd7433306e2eac0c42ef75f6cfd6

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b325149f6f6227fc9512a5d5d7f8c552ebd4dd7433306e2eac0c42ef75f6cfd6.dll
Size

788KB
MD5

3736823fd2de325ff15849e82629cddb
SHA1

9d87dac4828e2899fc0929af37b2b7a5f6431186
SHA256

b325149f6f6227fc9512a5d5d7f8c552ebd4dd7433306e2eac0c42ef75f6cfd6
SHA512

c6b5dec2b177ef5e1236b6867745dfb09dee853ae2fa515aacaf7bdf6c10216a7da3e9e62918e92da1a8509e03674d785a39ebf83c75b912fbc7d9ab23750cbe
SSDEEP

12288:ibP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQW:ibe42XV7KWgmjDR/T4a/MdjmJ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3460-5-0x00000000025A0000-0x00000000025A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3300	slui.exe
512	WindowsActionDialog.exe
3128	PresentationSettings.exe

Loads dropped DLL 3 IoCs

pid	Process
3300	slui.exe
512	WindowsActionDialog.exe
3128	PresentationSettings.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzvdnevrdk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\VGg9CQ9N5a\\WindowsActionDialog.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 2612	3460	Process not Found	82
PID 3460 wrote to memory of 2612	3460	Process not Found	82
PID 3460 wrote to memory of 3300	3460	Process not Found	83
PID 3460 wrote to memory of 3300	3460	Process not Found	83
PID 3460 wrote to memory of 2952	3460	Process not Found	84
PID 3460 wrote to memory of 2952	3460	Process not Found	84
PID 3460 wrote to memory of 512	3460	Process not Found	85
PID 3460 wrote to memory of 512	3460	Process not Found	85
PID 3460 wrote to memory of 2936	3460	Process not Found	86
PID 3460 wrote to memory of 2936	3460	Process not Found	86
PID 3460 wrote to memory of 3128	3460	Process not Found	87
PID 3460 wrote to memory of 3128	3460	Process not Found	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b325149f6f6227fc9512a5d5d7f8c552ebd4dd7433306e2eac0c42ef75f6cfd6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\A4aRqVP\slui.exe
C:\Users\Admin\AppData\Local\A4aRqVP\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3300

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:2952

C:\Users\Admin\AppData\Local\8ZMSEhL2a\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\8ZMSEhL2a\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:512

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2936

C:\Users\Admin\AppData\Local\998zg\PresentationSettings.exe
C:\Users\Admin\AppData\Local\998zg\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8ZMSEhL2a\DUI70.dll

Filesize
1.0MB

MD5
5846c1febb8261c907f95d03cf8db1b7

SHA1
1830f1c50d19241bdecd6c3ffe9717640ef437ae

SHA256
209bf45741a650e472bde3bffa6e777f26c452d0d119e2f970f38b53da62448f

SHA512
8e477666cc977ff8956bcab30cf8f6d127d2c45704fd4e3a9bdae1604edeb870b9d705cb4739bdb91868bb4c8a6d24eaf80f58fbada453406bbd1807baedd3e6

Download Submit
C:\Users\Admin\AppData\Local\8ZMSEhL2a\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\998zg\PresentationSettings.exe

Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\998zg\WINMM.dll

Filesize
796KB

MD5
7ed9a540a4e37a45ccc718b7c2783eac

SHA1
7bc443379dc9938d013e1128e29efbdf878671bf

SHA256
97c967ec9178a9f3a692385e8d3343a5f8aed627b5ab44d66c8dc3a444f97d58

SHA512
0eb8e9628b5ee0337a595b65a2ed31e6b667dea6596c9abcac720c3e8e35b1c8b98ddf0fbe8935366d5e3d9bc329839a89db781d2ca75d47158e552d383ce1ef

Download Submit
C:\Users\Admin\AppData\Local\A4aRqVP\WTSAPI32.dll

Filesize
792KB

MD5
4d61abbe5ff37f749cc9a205fa1b9528

SHA1
903d8eff5fa8bb314c8e7208d51e1af66ce5a0a2

SHA256
c269787441d0fb5d48bc83ff88fdccce5ce2b9487d4ff106f4b0699b6d49a304

SHA512
53f157d0b7c5cb3a145d4ed6e00280560ae0a9059b5fc4f2d1bab92875164ed3af8d2fda8a39a91e467363b5db8c35d20d693d4066398444ffec80decd2fb014

Download Submit
C:\Users\Admin\AppData\Local\A4aRqVP\slui.exe

Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk

Filesize
1KB

MD5
7884f8a7f510b58034f826bd7e477506

SHA1
8980ed0f23a2b557dacf6f34f51c91352688d4d5

SHA256
1783e5539ac0f6c318913ddc5a540b8a85716f0bdb55abf958d70a3e2fca3361

SHA512
9334e1e90555d6a8b39c11bd7fd810f9cbfdddce7eb7d4441f7224bd02a04a1b6589fcc33347acbbc312744062921c9faa9d445b0e6ce8f733d814eb3a5bd5d3

Download Submit
memory/512-62-0x0000000140000000-0x000000014010B000-memory.dmp

Filesize
1.0MB

Download
memory/512-68-0x0000000140000000-0x000000014010B000-memory.dmp

Filesize
1.0MB

Download
memory/512-67-0x0000018901150000-0x0000018901157000-memory.dmp

Filesize
28KB

Download
memory/1976-0-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1976-15-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1976-3-0x000001E3BE850000-0x000001E3BE857000-memory.dmp

Filesize
28KB

Download
memory/3128-79-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3128-84-0x0000017219CD0000-0x0000017219CD7000-memory.dmp

Filesize
28KB

Download
memory/3128-85-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3300-50-0x000002719EA20000-0x000002719EA27000-memory.dmp

Filesize
28KB

Download
memory/3300-45-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3300-51-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3460-10-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-16-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-4-0x00007FFED695A000-0x00007FFED695B000-memory.dmp

Filesize
4KB

Download
memory/3460-9-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-8-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-7-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-34-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-25-0x00007FFED8800000-0x00007FFED8810000-memory.dmp

Filesize
64KB

Download
memory/3460-23-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-13-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-5-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3460-24-0x0000000000770000-0x0000000000777000-memory.dmp

Filesize
28KB

Download
memory/3460-36-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-11-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-14-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3460-12-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download