dridex | a6f60e617596fae22bfc758d49593f3a413ffab053d4d37128849496bc82100e

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6f60e617596fae22bfc758d49593f3a413ffab053d4d37128849496bc82100e.dll
Size

776KB
MD5

267ebe7f32597e6cbbd20590a180d77f
SHA1

12acab01e939ca2cbd0b2d419a5292127f76f91b
SHA256

a6f60e617596fae22bfc758d49593f3a413ffab053d4d37128849496bc82100e
SHA512

15d78c31ce57f90230c0a9acac167791197b1178e1a7cb9988f71b953f3c3c3a8ae4d522fe3ec8b4091b99b1e5b98929c46a32f5f3e796e0facf8f35a0557d67
SSDEEP

12288:fbP23onr2XO7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQg:fbe42XO7KWgmjDR/T4a/MdjmJ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1188-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2080	Netplwiz.exe
2884	lpksetup.exe
536	DWWIN.EXE

Loads dropped DLL 7 IoCs

pid	Process
1188	Process not Found
2080	Netplwiz.exe
1188	Process not Found
2884	lpksetup.exe
1188	Process not Found
536	DWWIN.EXE
1188	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\5Q\\lpksetup.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 592	1188	Process not Found	31
PID 1188 wrote to memory of 592	1188	Process not Found	31
PID 1188 wrote to memory of 592	1188	Process not Found	31
PID 1188 wrote to memory of 2080	1188	Process not Found	32
PID 1188 wrote to memory of 2080	1188	Process not Found	32
PID 1188 wrote to memory of 2080	1188	Process not Found	32
PID 1188 wrote to memory of 2880	1188	Process not Found	33
PID 1188 wrote to memory of 2880	1188	Process not Found	33
PID 1188 wrote to memory of 2880	1188	Process not Found	33
PID 1188 wrote to memory of 2884	1188	Process not Found	34
PID 1188 wrote to memory of 2884	1188	Process not Found	34
PID 1188 wrote to memory of 2884	1188	Process not Found	34
PID 1188 wrote to memory of 2384	1188	Process not Found	35
PID 1188 wrote to memory of 2384	1188	Process not Found	35
PID 1188 wrote to memory of 2384	1188	Process not Found	35
PID 1188 wrote to memory of 536	1188	Process not Found	36
PID 1188 wrote to memory of 536	1188	Process not Found	36
PID 1188 wrote to memory of 536	1188	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a6f60e617596fae22bfc758d49593f3a413ffab053d4d37128849496bc82100e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:592

C:\Users\Admin\AppData\Local\J4ErA\Netplwiz.exe
C:\Users\Admin\AppData\Local\J4ErA\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2080

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:2880

C:\Users\Admin\AppData\Local\ZdMB\lpksetup.exe
C:\Users\Admin\AppData\Local\ZdMB\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2884

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:2384

C:\Users\Admin\AppData\Local\ZirS9lcw\DWWIN.EXE
C:\Users\Admin\AppData\Local\ZirS9lcw\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\J4ErA\NETPLWIZ.dll

Filesize
776KB

MD5
bc57f35184b16923d800668b4bc3cbe9

SHA1
db4b7ccd81dc3b5b0b87aa4d816a6b32d525b4e3

SHA256
3c1aafb0b3a2ef684bcb102fd05a170d2ae9e5a7a065694ff9a27f8bf12994cf

SHA512
3401ac1c2c6020620c580058b2e403d005256c8948ea9b73d1e59e42410a070a3db2d86a102e141999d35f299a8efc44bceda6b53aeea8c878df09cc149cbb7f

Download Submit
C:\Users\Admin\AppData\Local\J4ErA\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\ZdMB\slc.dll

Filesize
780KB

MD5
008ae6386553f06fcf12d2fa919c3307

SHA1
5a2955a4aac69da6aeedfb92da2f5bbeeac3495c

SHA256
6d020753dc5c1b38717876bae4fa143cf576105c01b053399fd76a375d968d3c

SHA512
0400d3a927154da7accc61c52d4b01f570080227b69fd85311613f28121497382c81b54c73505a537829475c4e719056b7e13a580e8f16a0ebe7ef88e297c04b

Download Submit
C:\Users\Admin\AppData\Local\ZirS9lcw\wer.dll

Filesize
780KB

MD5
99d792a359c054edf22c6bcca9534888

SHA1
d729684b33c1a692ccba78fd50fecb313d713290

SHA256
bcc525df93bf3ac97e04335860d020b99a5ab666435a7b605a92174f2991b02a

SHA512
276558eaf242a7b73f77ac5057f5d34cca87ea11c83c42305c1270a64346e7e92d0678c9abba10421099632d3080571508e7391a03c1344321ecf7af7411e218

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
694e3cd550966ac0d314f088e31f9920

SHA1
b9eb322af76a93ae2e2f9cd93db55583f84a2a6f

SHA256
03406cd4012dba5a8863b36207e7f367ddb61a778f1a58ef055d42025181a968

SHA512
30fcc98daa6b57c9576c3abb91651d023b3c99c45b47ac301f0a5d210a870809a90844243cd3512892326f2c3967e2dfc0c564ef3e0b42744eedaef7896c8ebb

Download Submit
\Users\Admin\AppData\Local\ZdMB\lpksetup.exe

Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\ZirS9lcw\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
memory/536-88-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/536-91-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1188-13-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-7-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-21-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-24-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

Filesize
8KB

Download
memory/1188-23-0x0000000077B61000-0x0000000077B62000-memory.dmp

Filesize
4KB

Download
memory/1188-22-0x00000000025E0000-0x00000000025E7000-memory.dmp

Filesize
28KB

Download
memory/1188-14-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-33-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-37-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-38-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-43-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-12-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-105-0x0000000077A56000-0x0000000077A57000-memory.dmp

Filesize
4KB

Download
memory/1188-4-0x0000000077A56000-0x0000000077A57000-memory.dmp

Filesize
4KB

Download
memory/1188-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1188-10-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-9-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/1188-8-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/2080-54-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2080-57-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/2744-11-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/2744-1-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/2744-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2884-73-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2884-69-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download