dridex | 5c31a1991b83b16d620785baf2e328b49cc684886f0682cfefc934c0f8762e93

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c31a1991b83b16d620785baf2e328b49cc684886f0682cfefc934c0f8762e93.dll
Size

788KB
MD5

57ff8aad6421b8785d191a75825a457d
SHA1

7991ebfc143d958342135a84297ee949ef110f2a
SHA256

5c31a1991b83b16d620785baf2e328b49cc684886f0682cfefc934c0f8762e93
SHA512

ec22ac2a7f68eb08b253a75efa75ca5d7dda6c726bc24f799556dd88f1347066c9a36ee683c8e77fef0cc42b0a86c4cbd6caabcf432134b63e815601b76fb908
SSDEEP

24576:9WyoyFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij:oSuVMK6vx2RsIKNrj

Score

10^/10

dridex botnet discovery evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3456-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3224	SnippingTool.exe
2668	usocoreworker.exe
4352	ApplicationFrameHost.exe

Loads dropped DLL 3 IoCs

pid	Process
3224	SnippingTool.exe
2668	usocoreworker.exe
4352	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\xwqlB\\usocoreworker.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SnippingTool.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1620	SnippingTool.exe
3224	SnippingTool.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3832	rundll32.exe
3832	rundll32.exe
3832	rundll32.exe
3832	rundll32.exe
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1620	3456	Process not Found	84
PID 3456 wrote to memory of 1620	3456	Process not Found	84
PID 3456 wrote to memory of 3224	3456	Process not Found	85
PID 3456 wrote to memory of 3224	3456	Process not Found	85
PID 3456 wrote to memory of 1052	3456	Process not Found	86
PID 3456 wrote to memory of 1052	3456	Process not Found	86
PID 3456 wrote to memory of 2668	3456	Process not Found	87
PID 3456 wrote to memory of 2668	3456	Process not Found	87
PID 3456 wrote to memory of 4932	3456	Process not Found	88
PID 3456 wrote to memory of 4932	3456	Process not Found	88
PID 3456 wrote to memory of 4352	3456	Process not Found	89
PID 3456 wrote to memory of 4352	3456	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c31a1991b83b16d620785baf2e328b49cc684886f0682cfefc934c0f8762e93.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3832

C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1620

C:\Users\Admin\AppData\Local\jMAy\SnippingTool.exe
C:\Users\Admin\AppData\Local\jMAy\SnippingTool.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Network Configuration Discovery: Internet Connection Discovery
PID:3224

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:1052

C:\Users\Admin\AppData\Local\3uEU\usocoreworker.exe
C:\Users\Admin\AppData\Local\3uEU\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2668

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:4932

C:\Users\Admin\AppData\Local\F7Y4W\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\F7Y4W\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3uEU\XmlLite.dll

Filesize
788KB

MD5
8e3a487adf5d74f741e55b5b23df64cc

SHA1
5c00dfa9bf6685fcc699e913c2b405d5838f1cf1

SHA256
37fd0d5d9da821bee5c401869b2325c611a76cd58359e9fdaf83dcb3af0ade96

SHA512
db826cfd03b9233b3f27553c660e7fd3d30aa9d2161649553cfa07d76c4ed3c3cc480f9ec348b7c08f3e0d7653b45f8fc180ba939dfe3f173f559acd940f151c

Download Submit
C:\Users\Admin\AppData\Local\3uEU\usocoreworker.exe

Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\F7Y4W\ApplicationFrameHost.exe

Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\F7Y4W\dxgi.dll

Filesize
792KB

MD5
3ea5ea84e6594532dee007c88eda891c

SHA1
ac546fdf429937ef51d52df97562f0b230e1d06d

SHA256
fa1366d1fbe9c74fa8ab847db085de744d1f38bb14e48a0f80aa0bfc70292744

SHA512
a3dcb18747620b58f77c6048b2b0181b780323ab0e3ec9449c226fe52793d2b93cb28d06e954f943cc3d30aac98de60a0cc3ef7ec86dc032290d86139c5faadc

Download Submit
C:\Users\Admin\AppData\Local\jMAy\OLEACC.dll

Filesize
792KB

MD5
32ca4baa605f6d2e941fa448a82e2b50

SHA1
18e5cd361a9566bd65b1187ca0336325a12eacf4

SHA256
f7b3f21ac8cefaf6bd37be30ae3ef2517311bdf6832a9affee34d74a464fc57f

SHA512
36d7447cde19c7600f7e5b13a9641cf2089f820e078ad7ae5814e3ec1a96f0c5f197f2e83ac354303563f4c275a6d36979e406d26447336cf5fc89db5ccda786

Download Submit
C:\Users\Admin\AppData\Local\jMAy\SnippingTool.exe

Filesize
3.2MB

MD5
f06d69f2fdd4d6a4e16f55769b7dccc1

SHA1
735eb9b032d924b59a8767b9d49bdb88bed05220

SHA256
83be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d

SHA512
ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
bd08e6dec829938e7b01678ee96a5345

SHA1
c4935a3a0f389c24ad3339289e8dcc1f8a5a53dd

SHA256
3b023a2dd41c6ea974828685d7e2299dbd97a26af24a5fa4b3dad97aede221d7

SHA512
d476a4b258cbb068cdba1a879707d5e1a70437f5962393e4f2a3752772325c52daf43c907e201f3a664e6fca05285e0b926c93a352a8ef18d394c6cab0281c08

Download Submit
memory/2668-62-0x000001B4AB8B0000-0x000001B4AB8B7000-memory.dmp

Filesize
28KB

Download
memory/2668-68-0x00007FFEF2130000-0x00007FFEF21F5000-memory.dmp

Filesize
788KB

Download
memory/3224-48-0x0000024C937D0000-0x0000024C937D7000-memory.dmp

Filesize
28KB

Download
memory/3224-51-0x00007FFEF1DD0000-0x00007FFEF1E96000-memory.dmp

Filesize
792KB

Download
memory/3224-45-0x00007FFEF1DD0000-0x00007FFEF1E96000-memory.dmp

Filesize
792KB

Download
memory/3456-24-0x0000000002E00000-0x0000000002E07000-memory.dmp

Filesize
28KB

Download
memory/3456-17-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-11-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-10-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-9-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-7-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-36-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-34-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-13-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-14-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-16-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-6-0x00007FFF0465A000-0x00007FFF0465B000-memory.dmp

Filesize
4KB

Download
memory/3456-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/3456-25-0x00007FFF04F40000-0x00007FFF04F50000-memory.dmp

Filesize
64KB

Download
memory/3456-23-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-15-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-8-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3832-0-0x000001D564D90000-0x000001D564D97000-memory.dmp

Filesize
28KB

Download
memory/3832-12-0x00007FFEF2130000-0x00007FFEF21F5000-memory.dmp

Filesize
788KB

Download
memory/3832-1-0x00007FFEF2130000-0x00007FFEF21F5000-memory.dmp

Filesize
788KB

Download
memory/4352-84-0x00007FFEF2130000-0x00007FFEF21F6000-memory.dmp

Filesize
792KB

Download
memory/4352-79-0x00007FFEF2130000-0x00007FFEF21F6000-memory.dmp

Filesize
792KB

Download