dridex | 899bcc783c6c38bbc60b714b79c0bd93e7752b34dd0f3ed1020837d65441b15f

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

899bcc783c6c38bbc60b714b79c0bd93e7752b34dd0f3ed1020837d65441b15f.dll
Size

768KB
MD5

c8943ebd87a704959163401518291eff
SHA1

436ad153aa4e9c163b885519a4b32aa69f0dca8f
SHA256

899bcc783c6c38bbc60b714b79c0bd93e7752b34dd0f3ed1020837d65441b15f
SHA512

bd9a2fc83e68f853ebe4798f192b2d033ccad0d24d29eba410d160a55cd5fad49f3f74f1bed6df3110bcb69216b642bd90c5c6536ac71d61ed9b014aa9ce324e
SSDEEP

24576:J4ld9/EkwVK+KFjZBxJ4PgGnMsMryIxNB:JK9/EkpVFjPxeftBaj

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1212-5-0x0000000002B30000-0x0000000002B31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2896	javaws.exe
2928	msinfo32.exe
3004	consent.exe

Loads dropped DLL 7 IoCs

pid	Process
1212	Process not Found
2896	javaws.exe
1212	Process not Found
2928	msinfo32.exe
1212	Process not Found
3004	consent.exe
1212	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\tcl\\msinfo32.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2844	1212	Process not Found	30
PID 1212 wrote to memory of 2844	1212	Process not Found	30
PID 1212 wrote to memory of 2844	1212	Process not Found	30
PID 1212 wrote to memory of 2896	1212	Process not Found	31
PID 1212 wrote to memory of 2896	1212	Process not Found	31
PID 1212 wrote to memory of 2896	1212	Process not Found	31
PID 1212 wrote to memory of 2840	1212	Process not Found	32
PID 1212 wrote to memory of 2840	1212	Process not Found	32
PID 1212 wrote to memory of 2840	1212	Process not Found	32
PID 1212 wrote to memory of 2928	1212	Process not Found	33
PID 1212 wrote to memory of 2928	1212	Process not Found	33
PID 1212 wrote to memory of 2928	1212	Process not Found	33
PID 1212 wrote to memory of 2784	1212	Process not Found	34
PID 1212 wrote to memory of 2784	1212	Process not Found	34
PID 1212 wrote to memory of 2784	1212	Process not Found	34
PID 1212 wrote to memory of 3004	1212	Process not Found	35
PID 1212 wrote to memory of 3004	1212	Process not Found	35
PID 1212 wrote to memory of 3004	1212	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\899bcc783c6c38bbc60b714b79c0bd93e7752b34dd0f3ed1020837d65441b15f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Local\65vke\javaws.exe
C:\Users\Admin\AppData\Local\65vke\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2896

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2840

C:\Users\Admin\AppData\Local\mYRBNa\msinfo32.exe
C:\Users\Admin\AppData\Local\mYRBNa\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2928

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:2784

C:\Users\Admin\AppData\Local\3Tvsk3e\consent.exe
C:\Users\Admin\AppData\Local\3Tvsk3e\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3Tvsk3e\WTSAPI32.dll

Filesize
772KB

MD5
0e59595a5f30f3e506a5d18d4eb5ccaf

SHA1
fef10ca11f05bbdaaf32e5109607dc27da792d7f

SHA256
331b870744ed8d1899fdf0a63f05dd7b97a4d7b0e89ce67939e08c8be175c8ca

SHA512
717efa167aa592e88e25f78d83a443267521dcbd8950a53c2c1cde935595cf2c73137ccdf64f4821ee97794ab67842900e7847b4816b0f9f8ce9ae57b3ef59bd

Download Submit
C:\Users\Admin\AppData\Local\3Tvsk3e\consent.exe

Filesize
109KB

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
C:\Users\Admin\AppData\Local\65vke\VERSION.dll

Filesize
772KB

MD5
e7125f481e3baa4ceb111a9532149e5c

SHA1
8a9efc036952da27ea78dc5466b1d453090cb9f2

SHA256
478653a5330027c4740d2e67a7faae2ad8a942f86f9a26b81b2bb5a995add592

SHA512
b85a305208ed060ece3e5cfc27d48e708f350de93fd8177f9d213477ae74a65dbbe5b45d1eefd591c2bb1f374102394fa3c53d54bfcde1bfde05daec7b7dab15

Download Submit
C:\Users\Admin\AppData\Local\mYRBNa\MFC42u.dll

Filesize
796KB

MD5
dee72d593fd88f317a246fb9333260f4

SHA1
1fd64617f0f7109175597cb9986a97e75434036f

SHA256
5b053c0fdaa52110a4dbd0881809c07a4725273186ba5c8d31f361c5e81b444c

SHA512
8050084b6191816fb03d83331f4e11871b8fe8cf44686fdd3dc9547840b608a9584403da4b01e71cd64edf4a9821ceff2968c4b05de5e2c2c1e6cf90abd2426b

Download Submit
C:\Users\Admin\AppData\Local\mYRBNa\msinfo32.exe

Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
c7172d0dd13c8372ce7a1d76dd4365d1

SHA1
ff2058f01b1b52f6a6fbc52ac8a1e8fafbcbe720

SHA256
41fbbf73f524688b38e2b6c112b986ef41965299fafb6aee7bf0083fbbc0a956

SHA512
db0f89a0e3b078bb92f0b563599b453a67e6a001eb01b9f2b8ecf0cb9887d90e9c0a2593a36038f5bbd7553ed79ef6957b41d340dea75e53953ba248a68c0b99

Download Submit
\Users\Admin\AppData\Local\65vke\javaws.exe

Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
memory/1212-35-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-30-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-12-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-15-0x0000000002B10000-0x0000000002B17000-memory.dmp

Filesize
28KB

Download
memory/1212-8-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-7-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-16-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-17-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-23-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-25-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/1212-24-0x0000000077C31000-0x0000000077C32000-memory.dmp

Filesize
4KB

Download
memory/1212-5-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1212-34-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-10-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-40-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-13-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-11-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-9-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1212-4-0x0000000077A26000-0x0000000077A27000-memory.dmp

Filesize
4KB

Download
memory/1212-94-0x0000000077A26000-0x0000000077A27000-memory.dmp

Filesize
4KB

Download
memory/2044-0-0x000007FEFB830000-0x000007FEFB8F0000-memory.dmp

Filesize
768KB

Download
memory/2044-3-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2044-14-0x000007FEFB830000-0x000007FEFB8F0000-memory.dmp

Filesize
768KB

Download
memory/2896-49-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2896-54-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2896-53-0x000007FEFB8E0000-0x000007FEFB9A1000-memory.dmp

Filesize
772KB

Download
memory/2896-50-0x000007FEFB8E0000-0x000007FEFB9A1000-memory.dmp

Filesize
772KB

Download
memory/2928-68-0x000007FEF8080000-0x000007FEF8147000-memory.dmp

Filesize
796KB

Download
memory/2928-69-0x0000000001B30000-0x0000000001B37000-memory.dmp

Filesize
28KB

Download
memory/2928-65-0x000007FEF8080000-0x000007FEF8147000-memory.dmp

Filesize
796KB

Download
memory/3004-80-0x000007FEF8080000-0x000007FEF8141000-memory.dmp

Filesize
772KB

Download
memory/3004-84-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/3004-83-0x000007FEF8080000-0x000007FEF8141000-memory.dmp

Filesize
772KB

Download