dridex | d4d9ff199368067600f128d3d3ac1fcc3bfbf0cabfe64b14b8484731ae64117d

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d9ff199368067600f128d3d3ac1fcc3bfbf0cabfe64b14b8484731ae64117d.dll
Size

780KB
MD5

3fa092a0e0ea8a296e20322bcbdc38c4
SHA1

78a2adda053686d8a2ddba3ccd3a5e0f1672575b
SHA256

d4d9ff199368067600f128d3d3ac1fcc3bfbf0cabfe64b14b8484731ae64117d
SHA512

f6b3df5593d62e42f289d59896082d5a4d2a093f01d31e3d790a07223e2ee8728942c5c0b3570fcdfbf79554db89f1c8affdadd42aa5dec2e409878785bd605a
SSDEEP

12288:kbP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQn:kbe42XV7KWgmjDR/T4a/Mdjmi

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3456-4-0x0000000002680000-0x0000000002681000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2644	RdpSa.exe
4768	tabcal.exe
1868	Utilman.exe

Loads dropped DLL 3 IoCs

pid	Process
2644	RdpSa.exe
4768	tabcal.exe
1868	Utilman.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\jGE8e\\tabcal.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1548	rundll32.exe
1548	rundll32.exe
1548	rundll32.exe
1548	rundll32.exe
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3908	3456	Process not Found	83
PID 3456 wrote to memory of 3908	3456	Process not Found	83
PID 3456 wrote to memory of 2644	3456	Process not Found	84
PID 3456 wrote to memory of 2644	3456	Process not Found	84
PID 3456 wrote to memory of 4748	3456	Process not Found	85
PID 3456 wrote to memory of 4748	3456	Process not Found	85
PID 3456 wrote to memory of 4768	3456	Process not Found	86
PID 3456 wrote to memory of 4768	3456	Process not Found	86
PID 3456 wrote to memory of 3188	3456	Process not Found	87
PID 3456 wrote to memory of 3188	3456	Process not Found	87
PID 3456 wrote to memory of 1868	3456	Process not Found	88
PID 3456 wrote to memory of 1868	3456	Process not Found	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4d9ff199368067600f128d3d3ac1fcc3bfbf0cabfe64b14b8484731ae64117d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:3908

C:\Users\Admin\AppData\Local\6eclfqMj\RdpSa.exe
C:\Users\Admin\AppData\Local\6eclfqMj\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2644

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:4748

C:\Users\Admin\AppData\Local\cFq\tabcal.exe
C:\Users\Admin\AppData\Local\cFq\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4768

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:3188

C:\Users\Admin\AppData\Local\EvRzTewJB\Utilman.exe
C:\Users\Admin\AppData\Local\EvRzTewJB\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6eclfqMj\RdpSa.exe

Filesize
56KB

MD5
5992f5b5d0b296b83877da15b54dd1b4

SHA1
0d87be8d4b7aeada4b55d1d05c0539df892f8f82

SHA256
32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

SHA512
4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

Download Submit
C:\Users\Admin\AppData\Local\6eclfqMj\WINSTA.dll

Filesize
788KB

MD5
af00a5e82fe9d76265441a08f662d1d3

SHA1
fdc51b8518ed830018b5f4b43464f79fbc322f78

SHA256
7d7edfe3ee99bf23d3b69662c6d7fdeb7b47012092e29cae787b770ee52d9051

SHA512
e8cdc856548df1c2db414f4c4b4fac5c6831e100e6d06da98c85a8b5a3cf9da941a39d7417d3d17dfd856e97405644cc8a3cf1b9e6086f13f073a17018304b5c

Download Submit
C:\Users\Admin\AppData\Local\EvRzTewJB\DUI70.dll

Filesize
1.0MB

MD5
749b4dfae5773f39589c055546402a0f

SHA1
c1cc36ae7e1e3cbf17e8cbe563db2d4c599dbc36

SHA256
ff54a5e3d82084a7b8bc53ffa90edc3e4a9e13397aa484eb62f11d4cf4d42262

SHA512
5d12a436584c736f2a194d8d41db02482a2c4c9c10caff83d44daa9bba67816241c512fa9f0af07d55073288ed32a49f332f04b7b898e4e46180aeaef2f4041d

Download Submit
C:\Users\Admin\AppData\Local\EvRzTewJB\Utilman.exe

Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Local\cFq\HID.DLL

Filesize
784KB

MD5
735c2c6307438e421b74f6cfb88e1116

SHA1
0c0d85762e77f4b3d549a0422fd591138c0b9534

SHA256
1ec4e31d8c9db0620d925d600700207c4b848d6107cf2cc0241f6eff77f1dc93

SHA512
945fee40b9db681a915d5b5ead8aebbc6af4571eff6897fa23c904b82b8a01d5b4ed3c4ff9af28d7d04baa43032af73334c64318a9a42409ce208cc0628b597b

Download Submit
C:\Users\Admin\AppData\Local\cFq\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
c63ab2cf72603b1f62d548781e8f4885

SHA1
0d424a5329731847fa8b6f5a61ac258d4052ce14

SHA256
2a4d9ebfc16460e995f380e2aeb2d3e79fc47a8b37a88a9c59da0b1e11000513

SHA512
74eddde003598e353eda18346ea271ad30d7548d017bc4a0e404ab48f59e5666db24470cfd4743ca917be7b0aec0e0fef1607248a714cb489d456880427bccb7

Download Submit
memory/1548-1-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1548-0-0x000002A6CE680000-0x000002A6CE687000-memory.dmp

Filesize
28KB

Download
memory/1548-14-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1868-84-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1868-83-0x0000026C3FE30000-0x0000026C3FE37000-memory.dmp

Filesize
28KB

Download
memory/1868-79-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/2644-50-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/2644-44-0x0000024769810000-0x0000024769817000-memory.dmp

Filesize
28KB

Download
memory/2644-45-0x0000000140000000-0x00000001400C5000-memory.dmp

Filesize
788KB

Download
memory/3456-33-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-22-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-4-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3456-13-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-12-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-6-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-7-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-9-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-8-0x00007FF925EAA000-0x00007FF925EAB000-memory.dmp

Filesize
4KB

Download
memory/3456-15-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-10-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-26-0x00007FF927800000-0x00007FF927810000-memory.dmp

Filesize
64KB

Download
memory/3456-11-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-35-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3456-25-0x00000000024C0000-0x00000000024C7000-memory.dmp

Filesize
28KB

Download
memory/4768-67-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/4768-64-0x0000027FA9710000-0x0000027FA9717000-memory.dmp

Filesize
28KB

Download
memory/4768-61-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download