dridex | 6c15387941d9c5100839fada2c08e23067b7467334e4ad6deb329d1660d4d482

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c15387941d9c5100839fada2c08e23067b7467334e4ad6deb329d1660d4d482N.dll
Size

776KB
MD5

9b8172adb2e1a4edd396f5d9aab93030
SHA1

901c5cf6f637b2946fc11f7edbce9dabed6563ef
SHA256

6c15387941d9c5100839fada2c08e23067b7467334e4ad6deb329d1660d4d482
SHA512

69703121022941ff097b071d1458307f0b48395a2a58cfad191c2680f6f8c2e2c9322a30f5a441dbeb8daece5f02f2cffa3fe48f20d24ca7eebb41577fe995ae
SSDEEP

12288:fbP23onr2XO7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQ:fbe42XO7KWgmjDR/T4a/Mdjm

Score

10^/10

dridex botnet defense_evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3144-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1228	mspaint.exe
112	MusNotificationUx.exe
1556	EhStorAuthn.exe

Loads dropped DLL 3 IoCs

pid	Process
1228	mspaint.exe
112	MusNotificationUx.exe
1556	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qhmytabp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\ZmeM52BgsRU\\MusNotificationUx.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found
3144	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1648	3144	Process not Found	84
PID 3144 wrote to memory of 1648	3144	Process not Found	84
PID 3144 wrote to memory of 1228	3144	Process not Found	85
PID 3144 wrote to memory of 1228	3144	Process not Found	85
PID 3144 wrote to memory of 1820	3144	Process not Found	86
PID 3144 wrote to memory of 1820	3144	Process not Found	86
PID 3144 wrote to memory of 112	3144	Process not Found	87
PID 3144 wrote to memory of 112	3144	Process not Found	87
PID 3144 wrote to memory of 244	3144	Process not Found	88
PID 3144 wrote to memory of 244	3144	Process not Found	88
PID 3144 wrote to memory of 1556	3144	Process not Found	89
PID 3144 wrote to memory of 1556	3144	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c15387941d9c5100839fada2c08e23067b7467334e4ad6deb329d1660d4d482N.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:1648

C:\Users\Admin\AppData\Local\5uzK\mspaint.exe
C:\Users\Admin\AppData\Local\5uzK\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1228

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:1820

C:\Users\Admin\AppData\Local\d4gjcYXIG\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\d4gjcYXIG\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:112

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:244

C:\Users\Admin\AppData\Local\yaejrwii1\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\yaejrwii1\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5uzK\WINMM.dll

Filesize
784KB

MD5
93ace1cdd8e045747eece69e2fc67f56

SHA1
3fa9d0debed0b57b6a0ed7211902158481a1e5e7

SHA256
3ceae495c8f94cda4b2c243eaaaad8e849bc4a1d3e1fc6c0469c10be47a8e721

SHA512
8300ff7c1f1076e31304ac4cf5a63b10e0c7d4fc864ffc1993f135150dc628c2ff476df1e8ace7f1fbb3c8a36f0dbb2e3e0665d92850cb2b1eb5a7a38e7705b8

Download Submit
C:\Users\Admin\AppData\Local\5uzK\mspaint.exe

Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\d4gjcYXIG\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\d4gjcYXIG\XmlLite.dll

Filesize
776KB

MD5
ce29ed08c3540d3b35bb2a8d3b8fa799

SHA1
5bca70bb30da52f3729fd33f50f662f516b2f0c1

SHA256
9673bbe2036d5b544c9da1fb5112a98a7479fa70f40780cc8cef4d861b12589d

SHA512
45d9a1752e6f6c64b8a552d96b803e70ed25391093744fb0f77d049cd5daeb4d6ed829e651dd8efc3079fcf58e28a6fad8f1d8adab601ea3099b47f8f244892e

Download Submit
C:\Users\Admin\AppData\Local\yaejrwii1\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\yaejrwii1\UxTheme.dll

Filesize
780KB

MD5
17e4e63d2db4ee496992b5f259ac111e

SHA1
83237f153c531b68188609d32540da0e72fc4266

SHA256
8d744d0ba2c6d1adae047ded650498bd302b60f1f41a1d20e873f6f48626e859

SHA512
73fd0a2954de19b3d9e8d42aa19ffba5ce3ee1b371703f32b612b25e991c112c9fc851c7e4d0c39b5f88c3e5fef835fe1213a9bc3344b7e9bf5b7551818ba194

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk

Filesize
1008B

MD5
691465888c938c16b93cd43eded9a511

SHA1
41814d33c1d4c6c07d5b58ef02d76bd82238d26d

SHA256
58d01d15d1a910d582808af2d7b4295698d5797af17adbde23ff46912778a804

SHA512
bd69ce618878805c3a29c5b950e88bf98b8b3f4cc9449e1ac0c3f18a17f7f0c9d876f4b73689d7c61ba053e71eebf780c901a60e8e3e1255892c8631ed826086

Download Submit
memory/112-65-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/112-62-0x000001824DE60000-0x000001824DE67000-memory.dmp

Filesize
28KB

Download
memory/1228-45-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/1228-48-0x000001E115E30000-0x000001E115E37000-memory.dmp

Filesize
28KB

Download
memory/1228-44-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/1228-50-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/1556-81-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1556-82-0x000001C6DB530000-0x000001C6DB537000-memory.dmp

Filesize
28KB

Download
memory/1556-76-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2972-13-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/2972-3-0x000001ACF5D50000-0x000001ACF5D57000-memory.dmp

Filesize
28KB

Download
memory/2972-0-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-21-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-32-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-34-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-8-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-9-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-10-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-11-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-12-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-23-0x00007FFA32280000-0x00007FFA32290000-memory.dmp

Filesize
64KB

Download
memory/3144-22-0x0000000001E70000-0x0000000001E77000-memory.dmp

Filesize
28KB

Download
memory/3144-14-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-7-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3144-4-0x00007FFA3046A000-0x00007FFA3046B000-memory.dmp

Filesize
4KB

Download
memory/3144-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download