dridex | 6b146c5ce365cba99f25e10535011a4a1b107a2e972dddb7d97204154233c8ac

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b146c5ce365cba99f25e10535011a4a1b107a2e972dddb7d97204154233c8acN.dll
Size

768KB
MD5

6e095303f4a13d3abc3570c81c9770b0
SHA1

51d72095910bcee40e9ca5d3faedf1b3072b5e0a
SHA256

6b146c5ce365cba99f25e10535011a4a1b107a2e972dddb7d97204154233c8ac
SHA512

602eccf8d5b16cc78409f912752b594c7d01d0eaa79c7723b491a3c48ee19a5b1885769cecabdced0eccb1f7b045237bd8616b4949e36b09a75616aa0277dc6e
SSDEEP

12288:J4vNC4bAo/u7kwVKwtKFjZMrCx1U6RjUEjkxDekdIppEiQ/W+nxtnP4DqMX9z6Vo:J4ld9/EkwVK+KFjZBxJ4PgGnMsMryIxN

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3500-4-0x0000000003360000-0x0000000003361000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3992	AtBroker.exe
1348	GamePanel.exe
5060	tabcal.exe

Loads dropped DLL 3 IoCs

pid	Process
3992	AtBroker.exe
1348	GamePanel.exe
5060	tabcal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\AWC54D~1\\GAMEPA~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5032	rundll32.exe
5032	rundll32.exe
5032	rundll32.exe
5032	rundll32.exe
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 3760	3500	Process not Found	84
PID 3500 wrote to memory of 3760	3500	Process not Found	84
PID 3500 wrote to memory of 3992	3500	Process not Found	85
PID 3500 wrote to memory of 3992	3500	Process not Found	85
PID 3500 wrote to memory of 1608	3500	Process not Found	86
PID 3500 wrote to memory of 1608	3500	Process not Found	86
PID 3500 wrote to memory of 1348	3500	Process not Found	87
PID 3500 wrote to memory of 1348	3500	Process not Found	87
PID 3500 wrote to memory of 3972	3500	Process not Found	88
PID 3500 wrote to memory of 3972	3500	Process not Found	88
PID 3500 wrote to memory of 5060	3500	Process not Found	89
PID 3500 wrote to memory of 5060	3500	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b146c5ce365cba99f25e10535011a4a1b107a2e972dddb7d97204154233c8acN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5032

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:3760

C:\Users\Admin\AppData\Local\hCHG0vb\AtBroker.exe
C:\Users\Admin\AppData\Local\hCHG0vb\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3992

C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
1⤵
PID:1608

C:\Users\Admin\AppData\Local\xhps\GamePanel.exe
C:\Users\Admin\AppData\Local\xhps\GamePanel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1348

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:3972

C:\Users\Admin\AppData\Local\MvQnySiVK\tabcal.exe
C:\Users\Admin\AppData\Local\MvQnySiVK\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MvQnySiVK\HID.DLL

Filesize
772KB

MD5
a9259036e36dd2f5fd12154f429553ab

SHA1
dc6968f87eebaa94c1fb1d124b8a743438d48cf4

SHA256
d9717f284dfc0703da5474291617534162d06424eaa4ef557ba36b6454c5a5c3

SHA512
2bb4f07b3e9ea7ad6d945cfc09fff76b8016e52e6eba48263b6a27ca10ccd61f01eae44f5512ccc92323408d25e1c112eadbf0e977d70b9c3232b65c1439cd7e

Download Submit
C:\Users\Admin\AppData\Local\MvQnySiVK\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Local\hCHG0vb\AtBroker.exe

Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\hCHG0vb\UxTheme.dll

Filesize
772KB

MD5
c42464d7de884cd1e4dcccab4d8c9bb2

SHA1
6c6c188d08584775cb18155902bce30bea2a37b8

SHA256
cef64e81b7144931fb2007a52e2de1894d261d30050843bde9d3b63eb45a51df

SHA512
43fb7205696a3fde39243e43eda0c7bbae7b86e089068847d5b3586730e139f1a96a34143400def3400637fc0306495c1a6e89486d19b128bbf74c9f9de804df

Download Submit
C:\Users\Admin\AppData\Local\xhps\GamePanel.exe

Filesize
1.2MB

MD5
266f6a62c16f6a889218800762b137be

SHA1
31b9bd85a37bf0cbb38a1c30147b83671458fa72

SHA256
71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

SHA512
b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

Download Submit
C:\Users\Admin\AppData\Local\xhps\dwmapi.dll

Filesize
772KB

MD5
44128e70ad7529a438e3e581c0f79205

SHA1
0ead8cc813e4e4c4bface13c19d6b1946ccf374c

SHA256
9c4d80b98fd176650cd4048f37ccca6d0634076de39d154eb7f662eb65c85b8a

SHA512
96cbaf53eb8dbce000e5478b71dc8d4e56e79ee64f747ffcc06227a6509002349ad60454b5329ed87c686705235fe82f57440f8c6abef6e2b065763d2e483b34

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
31d2af4a416f7672811e52228af5f5a7

SHA1
a59b2ccc4de6db834cb800bb6273da6765cb158a

SHA256
79d5057a93f4fd263a4566d54479a01eeae571f4838080dfed43a77d5d82b78c

SHA512
92485143889a25b1836df4e8919e6832f4aecec64cc39c8cbd6ff60be3fb630626e7cefe786bee40292b7692ad725346ed8f6f422d9e18fa19a62e8e9f03c01b

Download Submit
memory/1348-59-0x00007FF94EF00000-0x00007FF94EFC1000-memory.dmp

Filesize
772KB

Download
memory/1348-63-0x00007FF94EF00000-0x00007FF94EFC1000-memory.dmp

Filesize
772KB

Download
memory/1348-62-0x000001BE68540000-0x000001BE68547000-memory.dmp

Filesize
28KB

Download
memory/3500-26-0x00007FF95E760000-0x00007FF95E770000-memory.dmp

Filesize
64KB

Download
memory/3500-15-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-35-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-33-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-12-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-11-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-10-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-9-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-8-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-4-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3500-7-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-6-0x00007FF95DCFA000-0x00007FF95DCFB000-memory.dmp

Filesize
4KB

Download
memory/3500-16-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-22-0x0000000003370000-0x0000000003377000-memory.dmp

Filesize
28KB

Download
memory/3500-13-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3500-23-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3992-45-0x0000017C974F0000-0x0000017C974F7000-memory.dmp

Filesize
28KB

Download
memory/3992-46-0x00007FF94EFA0000-0x00007FF94F061000-memory.dmp

Filesize
772KB

Download
memory/3992-49-0x00007FF94EFA0000-0x00007FF94F061000-memory.dmp

Filesize
772KB

Download
memory/5032-3-0x0000020A79A60000-0x0000020A79A67000-memory.dmp

Filesize
28KB

Download
memory/5032-14-0x00007FF94EEF0000-0x00007FF94EFB0000-memory.dmp

Filesize
768KB

Download
memory/5032-0-0x00007FF94EEF0000-0x00007FF94EFB0000-memory.dmp

Filesize
768KB

Download
memory/5060-73-0x0000022750CC0000-0x0000022750CC7000-memory.dmp

Filesize
28KB

Download
memory/5060-77-0x00007FF94EFA0000-0x00007FF94F061000-memory.dmp

Filesize
772KB

Download