dridex | 6d29b1ddb14e42725ac1351da325c2a612a917dd6c455e88733febba2d8e64c8

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2025, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d29b1ddb14e42725ac1351da325c2a612a917dd6c455e88733febba2d8e64c8.dll
Size

776KB
MD5

2a9f5f71552637fc95139e9ae638d5e5
SHA1

36de00ab1abbd4af62c3a3d1d9f88c50622d8a87
SHA256

6d29b1ddb14e42725ac1351da325c2a612a917dd6c455e88733febba2d8e64c8
SHA512

82154505cdd05eee12a7a31b49c0d6b2457d6a2a7b962e2b907830ad7d4ab5260dc96f5a0f6178ea60745506ad5fafe1ab8b1a087f21f9395c2bcc222166ae8b
SSDEEP

12288:bbP23onr2Xi7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQ:bbe42Xi7KWgmjDR/T4a/Mdjm

Score

10^/10

dridex botnet defense_evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3508-4-0x0000000000EE0000-0x0000000000EE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1384	rdpinit.exe
4052	Dxpserver.exe
4440	tcmsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
1384	rdpinit.exe
4052	Dxpserver.exe
4440	tcmsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qhmytabp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\PxP\\Dxpserver.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	rundll32.exe
2444	rundll32.exe
2444	rundll32.exe
2444	rundll32.exe
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2060	3508	Process not Found	84
PID 3508 wrote to memory of 2060	3508	Process not Found	84
PID 3508 wrote to memory of 1384	3508	Process not Found	85
PID 3508 wrote to memory of 1384	3508	Process not Found	85
PID 3508 wrote to memory of 1756	3508	Process not Found	86
PID 3508 wrote to memory of 1756	3508	Process not Found	86
PID 3508 wrote to memory of 4052	3508	Process not Found	87
PID 3508 wrote to memory of 4052	3508	Process not Found	87
PID 3508 wrote to memory of 4760	3508	Process not Found	88
PID 3508 wrote to memory of 4760	3508	Process not Found	88
PID 3508 wrote to memory of 4440	3508	Process not Found	89
PID 3508 wrote to memory of 4440	3508	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d29b1ddb14e42725ac1351da325c2a612a917dd6c455e88733febba2d8e64c8.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2444

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2060

C:\Users\Admin\AppData\Local\LO5a\rdpinit.exe
C:\Users\Admin\AppData\Local\LO5a\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1384

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1756

C:\Users\Admin\AppData\Local\bxzu5xY2\Dxpserver.exe
C:\Users\Admin\AppData\Local\bxzu5xY2\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4052

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:4760

C:\Users\Admin\AppData\Local\TxLi\tcmsetup.exe
C:\Users\Admin\AppData\Local\TxLi\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LO5a\WTSAPI32.dll

Filesize
780KB

MD5
42c175a1b98f5f4faef1e8e726b1959b

SHA1
3be7540fb2c6f41a87c9ce9c8a7a567513af819b

SHA256
ce07bf632e26e425261300879ba4d54a47b6b16a5ed9faf1d9264dfd588b9cd7

SHA512
74cd73fe9edd178ed4acd76e034b4bc65828c3de193af40a46984a14404f3c96fc1e04a2bcf34b03ecd7412636e1a27070606c49780c5d3cdd38c89451fe6191

Download Submit
C:\Users\Admin\AppData\Local\LO5a\rdpinit.exe

Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\TxLi\TAPI32.dll

Filesize
784KB

MD5
188fa8b56f797aa74d6f3637f0a43434

SHA1
e083e4208f6b7b8f5588981f8d8e846edfec875f

SHA256
8d6b6509d49f0c892d2bf63c263819a3cffbc25600168497a4fa99ec4b54fb10

SHA512
78fbb9a20077031a1d7db7a71c37b433f0f04aee8d53c58c6e6e9cbcec9e8b10739495ce15ad8869b62d4586a4f729a057b16d21c1856912003706e228188f2f

Download Submit
C:\Users\Admin\AppData\Local\TxLi\tcmsetup.exe

Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Users\Admin\AppData\Local\bxzu5xY2\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\bxzu5xY2\dwmapi.dll

Filesize
780KB

MD5
94ab0c793924d07458bea087af9cb04c

SHA1
055ab9ca5de2d0edce2c670fe7b4bdd7acf2e884

SHA256
c92ebe60e9d68bef834ca52d32534c587ceafeb68c38f1cc750728401e6fa544

SHA512
cab911e452b64974447b94a291e47ca781b4b057bc28c541a1fae303fc76755cefa1ab239a53f18bea8eb422c65245eef8b5f68a511b26669e6bbbc4f99fe4d1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk

Filesize
1KB

MD5
1ac0693bd319d23caf98cc1fc290134e

SHA1
12483149e537368099607f2c5b47956d559bccc8

SHA256
1b6fd36eb88bc16af28e45dd27ffcc39dbfc67af323151de7f4bc8ee250c6d68

SHA512
04b78bb077c32ef5dca0e06d3da7c478ac50ada642dbb63158c300420b1e64248119793c85b1cdac824cd305e388457cc99cdfc57bc53b8e9c9ea0d7479bb855

Download Submit
memory/1384-43-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1384-51-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1384-46-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1384-47-0x00000194E28B0000-0x00000194E28B7000-memory.dmp

Filesize
28KB

Download
memory/2444-3-0x000001F158550000-0x000001F158557000-memory.dmp

Filesize
28KB

Download
memory/2444-13-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/2444-0-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-22-0x0000000000EB0000-0x0000000000EB7000-memory.dmp

Filesize
28KB

Download
memory/3508-14-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-34-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-9-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-10-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-11-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-12-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-7-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-23-0x00007FFCF2620000-0x00007FFCF2630000-memory.dmp

Filesize
64KB

Download
memory/3508-21-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-8-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-32-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3508-4-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3508-5-0x00007FFCF22CA000-0x00007FFCF22CB000-memory.dmp

Filesize
4KB

Download
memory/4052-68-0x000002C43F1A0000-0x000002C43F1A7000-memory.dmp

Filesize
28KB

Download
memory/4052-70-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/4052-62-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/4440-81-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/4440-83-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/4440-87-0x0000021717D70000-0x0000021717D77000-memory.dmp

Filesize
28KB

Download
memory/4440-89-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download