dridex | 5c31a1991b83b16d620785baf2e328b49cc684886f0682cfefc934c0f8762e93

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c31a1991b83b16d620785baf2e328b49cc684886f0682cfefc934c0f8762e93.dll
Size

788KB
MD5

57ff8aad6421b8785d191a75825a457d
SHA1

7991ebfc143d958342135a84297ee949ef110f2a
SHA256

5c31a1991b83b16d620785baf2e328b49cc684886f0682cfefc934c0f8762e93
SHA512

ec22ac2a7f68eb08b253a75efa75ca5d7dda6c726bc24f799556dd88f1347066c9a36ee683c8e77fef0cc42b0a86c4cbd6caabcf432134b63e815601b76fb908
SSDEEP

24576:9WyoyFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij:oSuVMK6vx2RsIKNrj

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002570000-0x0000000002571000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2632	javaws.exe
376	dpnsvr.exe
2056	tabcal.exe

Loads dropped DLL 7 IoCs

pid	Process
1200	Process not Found
2632	javaws.exe
1200	Process not Found
376	dpnsvr.exe
1200	Process not Found
2056	tabcal.exe
1200	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\c4\\dpnsvr.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2716	1200	Process not Found	30
PID 1200 wrote to memory of 2716	1200	Process not Found	30
PID 1200 wrote to memory of 2716	1200	Process not Found	30
PID 1200 wrote to memory of 2632	1200	Process not Found	31
PID 1200 wrote to memory of 2632	1200	Process not Found	31
PID 1200 wrote to memory of 2632	1200	Process not Found	31
PID 1200 wrote to memory of 1836	1200	Process not Found	32
PID 1200 wrote to memory of 1836	1200	Process not Found	32
PID 1200 wrote to memory of 1836	1200	Process not Found	32
PID 1200 wrote to memory of 376	1200	Process not Found	33
PID 1200 wrote to memory of 376	1200	Process not Found	33
PID 1200 wrote to memory of 376	1200	Process not Found	33
PID 1200 wrote to memory of 2700	1200	Process not Found	34
PID 1200 wrote to memory of 2700	1200	Process not Found	34
PID 1200 wrote to memory of 2700	1200	Process not Found	34
PID 1200 wrote to memory of 2056	1200	Process not Found	35
PID 1200 wrote to memory of 2056	1200	Process not Found	35
PID 1200 wrote to memory of 2056	1200	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c31a1991b83b16d620785baf2e328b49cc684886f0682cfefc934c0f8762e93.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:2716

C:\Users\Admin\AppData\Local\qsc1LEkq8\javaws.exe
C:\Users\Admin\AppData\Local\qsc1LEkq8\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2632

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:1836

C:\Users\Admin\AppData\Local\HPrL6Ylw\dpnsvr.exe
C:\Users\Admin\AppData\Local\HPrL6Ylw\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:376

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2700

C:\Users\Admin\AppData\Local\ay0CwrFJC\tabcal.exe
C:\Users\Admin\AppData\Local\ay0CwrFJC\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HPrL6Ylw\WINMM.dll

Filesize
796KB

MD5
8b93f148ffdbad8e5fe72cefb320209d

SHA1
b4965ea0ce8b87b67c3f25ab20f3b7ef75007de4

SHA256
2eea465d200f2677220dbc0ec2dc28ac4e30cbbf4e1894a6ea207ab8af6bad51

SHA512
e6ea736f454da7fde29552203aa9ddf3640da52e8a510b761c479afe922361f6b02ab8109cb3a5b04b00f8464d01b674051f05bfb1ee8b7962c5cb4c62671171

Download Submit
C:\Users\Admin\AppData\Local\qsc1LEkq8\VERSION.dll

Filesize
788KB

MD5
12e2d7329ab5f406d6605c8a13750248

SHA1
537a10eeab007a3795d0f78e21accc2a8e1d42e4

SHA256
e1461d5999757debc1596594c61b9e7ae56979d02105536e60a1303f0b96025a

SHA512
9cd54fd7e3ed558fe1eabaf341237b84c38bba8676943cfd333462cd527c16ab2878ec56fc890f299b7c58a36c2a6287e75a48e8c72cc2ab3ad6d9acb5a08815

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
1KB

MD5
8abf75090c887d0ddc244c962f856291

SHA1
c28c6ebe659d05e130ceca60938112189d149290

SHA256
2b5b730674037b17f1fdd635cd7d97c0ed982df5c35aae72fc264b23e5d692c3

SHA512
1ffcd9e6d9edb5ae29d57c42895801335d13ddbbacb7a6a10b7d5cfe88176f8fe958d51ed99c01ec3dd4bea7fa08077867a36e922b8c6d49f2eaac2dd014b29c

Download Submit
\Users\Admin\AppData\Local\HPrL6Ylw\dpnsvr.exe

Filesize
33KB

MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
\Users\Admin\AppData\Local\ay0CwrFJC\HID.DLL

Filesize
792KB

MD5
5faad3228e9987187abf354f779ca440

SHA1
215ab4caf05a2a9cff0ae71474a048e340f49a50

SHA256
529368f387e6dd5aa407c9df9576b20ce95a22c6e224fd45f2a4fdc0551fe3b5

SHA512
ebb3f0f928ecb9802ab6f588b0418c5857257b1fda6edfe7bb89e2f3da51b1923c305162755fb1e9543f22db5272ec2eb6f807a36658299d8ea372f329f6abda

Download Submit
\Users\Admin\AppData\Local\ay0CwrFJC\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\qsc1LEkq8\javaws.exe

Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
memory/376-77-0x000007FEF68C0000-0x000007FEF6987000-memory.dmp

Filesize
796KB

Download
memory/376-72-0x000007FEF68C0000-0x000007FEF6987000-memory.dmp

Filesize
796KB

Download
memory/376-71-0x0000000001B50000-0x0000000001B57000-memory.dmp

Filesize
28KB

Download
memory/1200-9-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-40-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-15-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-14-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-13-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-108-0x0000000077656000-0x0000000077657000-memory.dmp

Filesize
4KB

Download
memory/1200-11-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-10-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-7-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-35-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-39-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-5-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1200-44-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-24-0x0000000002550000-0x0000000002557000-memory.dmp

Filesize
28KB

Download
memory/1200-26-0x00000000778C0000-0x00000000778C2000-memory.dmp

Filesize
8KB

Download
memory/1200-17-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-8-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-4-0x0000000077656000-0x0000000077657000-memory.dmp

Filesize
4KB

Download
memory/1200-25-0x0000000077761000-0x0000000077762000-memory.dmp

Filesize
4KB

Download
memory/1200-16-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/1200-23-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/2056-89-0x000007FEF68C0000-0x000007FEF6986000-memory.dmp

Filesize
792KB

Download
memory/2056-94-0x000007FEF68C0000-0x000007FEF6986000-memory.dmp

Filesize
792KB

Download
memory/2632-53-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/2632-59-0x000007FEF6E50000-0x000007FEF6F15000-memory.dmp

Filesize
788KB

Download
memory/2632-54-0x000007FEF6E50000-0x000007FEF6F15000-memory.dmp

Filesize
788KB

Download
memory/2788-0-0x000007FEF6D80000-0x000007FEF6E45000-memory.dmp

Filesize
788KB

Download
memory/2788-12-0x000007FEF6D80000-0x000007FEF6E45000-memory.dmp

Filesize
788KB

Download
memory/2788-3-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download