dridex | 3fe07a9b47a19d1e5bd7a3ab151c4702292dad575ccee38241c830a55f285814

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe07a9b47a19d1e5bd7a3ab151c4702292dad575ccee38241c830a55f285814.dll
Size

780KB
MD5

12c235157458058ad181f648cf1fcb96
SHA1

8d7076f1a88190f2a4f2004e77ff973dd642f6c3
SHA256

3fe07a9b47a19d1e5bd7a3ab151c4702292dad575ccee38241c830a55f285814
SHA512

c46d5c8ba89760d9ce8649283e9980ecba0d8221fd97514d4e3abd0a8e6838dea50dd63d95ce01f2453aebe9dc5dc4e9aa33c15676d74e49115c83862e608807
SSDEEP

12288:PbP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQ:Pbe42XV7KWgmjDR/T4a/Mdjm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002610000-0x0000000002611000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2980	WindowsAnytimeUpgradeResults.exe
1808	iexpress.exe
2240	TpmInit.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
2980	WindowsAnytimeUpgradeResults.exe
1196	Process not Found
1808	iexpress.exe
1196	Process not Found
2240	TpmInit.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\D0\\iexpress.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	rundll32.exe
1720	rundll32.exe
1720	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2764	1196	Process not Found	30
PID 1196 wrote to memory of 2764	1196	Process not Found	30
PID 1196 wrote to memory of 2764	1196	Process not Found	30
PID 1196 wrote to memory of 2980	1196	Process not Found	31
PID 1196 wrote to memory of 2980	1196	Process not Found	31
PID 1196 wrote to memory of 2980	1196	Process not Found	31
PID 1196 wrote to memory of 2836	1196	Process not Found	32
PID 1196 wrote to memory of 2836	1196	Process not Found	32
PID 1196 wrote to memory of 2836	1196	Process not Found	32
PID 1196 wrote to memory of 1808	1196	Process not Found	33
PID 1196 wrote to memory of 1808	1196	Process not Found	33
PID 1196 wrote to memory of 1808	1196	Process not Found	33
PID 1196 wrote to memory of 1812	1196	Process not Found	34
PID 1196 wrote to memory of 1812	1196	Process not Found	34
PID 1196 wrote to memory of 1812	1196	Process not Found	34
PID 1196 wrote to memory of 2240	1196	Process not Found	35
PID 1196 wrote to memory of 2240	1196	Process not Found	35
PID 1196 wrote to memory of 2240	1196	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3fe07a9b47a19d1e5bd7a3ab151c4702292dad575ccee38241c830a55f285814.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\gihzR\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\gihzR\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2980

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2836

C:\Users\Admin\AppData\Local\0VOa5uB\iexpress.exe
C:\Users\Admin\AppData\Local\0VOa5uB\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1808

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:1812

C:\Users\Admin\AppData\Local\LzU06WJU\TpmInit.exe
C:\Users\Admin\AppData\Local\LzU06WJU\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0VOa5uB\iexpress.exe

Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
C:\Users\Admin\AppData\Local\LzU06WJU\ACTIVEDS.dll

Filesize
784KB

MD5
2067b8db2158d67518fdcf2fbcb34bed

SHA1
c7178043fb838430252848856c8d192d90d264d2

SHA256
bdabd993d279d13a7feaac815ec98e574f99506d283c281f742a63af52d63630

SHA512
c763fb31b054d4b51c08bb6304c970ff787b358e43099fdaf7f3b5a19742395548646640182a31569381000c62761b92c9ec3b877169e51b2dab4580c711fefe

Download Submit
C:\Users\Admin\AppData\Local\LzU06WJU\TpmInit.exe

Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
C:\Users\Admin\AppData\Local\gihzR\UxTheme.dll

Filesize
784KB

MD5
0c5e7a1f9cde81633bd579cc4f4dfa58

SHA1
be535c84c1d92d1a0c42caa8eb3331f3b08f6637

SHA256
ed9612fef071ab9323004a7970879efd263180e01b653bdbd27af24f890324ce

SHA512
15942a6d6b948769f54a2fda97fdaefb932ff2bb3700e8425ce2e57e91663672be75e450078321451af145a7a7ea1cfe4c823af852f7d75fd1c4d2390a946bd4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1KB

MD5
699c1df0dcf96301484bf1e7302e7e15

SHA1
fb9772b3cad3b04cf8dc11aacc931e794c317a9a

SHA256
3edfdd4f33c58724fbb6f746288c584898f26d9e8f2c031790f85e39e223f069

SHA512
5ffb2ab9f2cf0ebe42bb7eef542094342b748f73d4b517ec386aba8d9d542827ff17f1b2e09226c6ca0c16937f21197757500dbc2ef9e9e7e37f3d5e6cc9d72f

Download Submit
\Users\Admin\AppData\Local\0VOa5uB\VERSION.dll

Filesize
780KB

MD5
481debd853216de941f8de074ae2c79a

SHA1
a205c1f9cca86c01ed9178bef78f7d4e243ec3a8

SHA256
094f845986c2b433e16f44582b85e366db23788a2fd4a5e4a4285d15ca37fc26

SHA512
71e0560a55761872899e37c4d8d489455bd7dcdcc28f3ab75fafdb4e59cd03a0d8e558e6c862a432efe4cc3a7995edde2303da5b0bd9f9efa37a0070f5b5d892

Download Submit
\Users\Admin\AppData\Local\gihzR\WindowsAnytimeUpgradeResults.exe

Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
memory/1196-25-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/1196-13-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-8-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-7-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-24-0x0000000077651000-0x0000000077652000-memory.dmp

Filesize
4KB

Download
memory/1196-23-0x00000000025F0000-0x00000000025F7000-memory.dmp

Filesize
28KB

Download
memory/1196-22-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-15-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-14-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-104-0x0000000077446000-0x0000000077447000-memory.dmp

Filesize
4KB

Download
memory/1196-35-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-40-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-41-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-9-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-4-0x0000000077446000-0x0000000077447000-memory.dmp

Filesize
4KB

Download
memory/1196-5-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1196-12-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-10-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1720-11-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1720-0-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/1720-1-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1808-75-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2240-92-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/2240-91-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2980-52-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/2980-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2980-58-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download