dridex | 138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277N.dll
Size

984KB
MD5

89f99b617454ae1d26f9c5614f19fd30
SHA1

43194372fae7b50a95e00580ce5d64134e4c1b7d
SHA256

138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277
SHA512

fb0445aba4301466b7c5d8dea9afbf87e0ab5d0bbbcee924d22af97700370f0dd13a80691ab322ffabbbb16e287df160344f5f7a54b1834be2b0fda0089470a3
SSDEEP

24576:yWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ijg:1nuVMK6vx2RsIKNrj

Score

10^/10

dridex botnet defense_evasion discovery payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3456-4-0x0000000002550000-0x0000000002551000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
728	SystemPropertiesDataExecutionPrevention.exe
2036	PresentationHost.exe
3444	SnippingTool.exe

Loads dropped DLL 3 IoCs

pid	Process
728	SystemPropertiesDataExecutionPrevention.exe
2036	PresentationHost.exe
3444	SnippingTool.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\Deployment\\iyaL\\PresentationHost.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SnippingTool.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4688	SnippingTool.exe
3444	SnippingTool.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1888	3456	Process not Found	83
PID 3456 wrote to memory of 1888	3456	Process not Found	83
PID 3456 wrote to memory of 728	3456	Process not Found	84
PID 3456 wrote to memory of 728	3456	Process not Found	84
PID 3456 wrote to memory of 1724	3456	Process not Found	87
PID 3456 wrote to memory of 1724	3456	Process not Found	87
PID 3456 wrote to memory of 2036	3456	Process not Found	88
PID 3456 wrote to memory of 2036	3456	Process not Found	88
PID 3456 wrote to memory of 4688	3456	Process not Found	90
PID 3456 wrote to memory of 4688	3456	Process not Found	90
PID 3456 wrote to memory of 3444	3456	Process not Found	92
PID 3456 wrote to memory of 3444	3456	Process not Found	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277N.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:1888

C:\Users\Admin\AppData\Local\AKDRZD\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\AKDRZD\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:728

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:1724

C:\Users\Admin\AppData\Local\jOT\PresentationHost.exe
C:\Users\Admin\AppData\Local\jOT\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2036

C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4688

C:\Users\Admin\AppData\Local\7CzSDj\SnippingTool.exe
C:\Users\Admin\AppData\Local\7CzSDj\SnippingTool.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Network Configuration Discovery: Internet Connection Discovery
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7CzSDj\SnippingTool.exe

Filesize
3.2MB

MD5
f06d69f2fdd4d6a4e16f55769b7dccc1

SHA1
735eb9b032d924b59a8767b9d49bdb88bed05220

SHA256
83be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d

SHA512
ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b

Download Submit
C:\Users\Admin\AppData\Local\7CzSDj\dwmapi.dll

Filesize
988KB

MD5
2f19cadad4dd966bcac0a916d99bc823

SHA1
2d9b5016c395d495635a9070072c6adb96883131

SHA256
2b9184cae7c13e8e68ef254de24aa26908e7eb0c6cfa1dcaa5fbfa187c7f7c05

SHA512
4f5a686db5119d9a17e3f8fb509c772a0fd9e8428894be0d4ddccd87fd9ef3fb6625719905fd2adb7422d7ae731ab71620fb23588af29cd3a00bfbb2baf97b56

Download Submit
C:\Users\Admin\AppData\Local\AKDRZD\SYSDM.CPL

Filesize
984KB

MD5
28fc0ad73a687b601b8bcb480b63a7ba

SHA1
680eb0e7265c5dc6e37e08dd7e416eb93dd3efb3

SHA256
92e42a103837b6c415cd20c6e9eed8cf058b6d0a3cef5bad557d1853d702f758

SHA512
0889512f3a1773f02c3066d3b53774cee774051d9fff09fb15f66d20b0ba06bb14da89fb197de81c71dfcc26bd5cef924884d35b94fab2fcb9bc6eba74a8ab7b

Download Submit
C:\Users\Admin\AppData\Local\AKDRZD\SystemPropertiesDataExecutionPrevention.exe

Filesize
82KB

MD5
de58532954c2704f2b2309ffc320651d

SHA1
0a9fc98f4d47dccb0b231edf9a63309314f68e3b

SHA256
1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

SHA512
d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

Download Submit
C:\Users\Admin\AppData\Local\jOT\PresentationHost.exe

Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\jOT\VERSION.dll

Filesize
984KB

MD5
d44abc6d40c8d87131181dff700f1061

SHA1
1c30334f4c7d982d79a0b54c57c3ef30da5da294

SHA256
6cd43980574b8df22b98c377965b6ea8b64fb65f8e1e13992583fd7f5d959874

SHA512
4d73753ecfeef093d514b9b5edc9c804891f5c5103af1a013f9e2cec19ca29a480eae43648071da1c5411944710650838ad3c5f7e4e4553f6f76f10ea12120ef

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
359c4dc9bf5c3daa71875268f82db728

SHA1
cfc76a0da41ec95515a1472d788464a875f677cc

SHA256
8dbe653d61bd4a4a76f431c8ad0b6f37bd333cffb17c7cfcc0ae76fbfe3249f9

SHA512
a469279ab65f62ed323718b1399d70197104c0de47fd1647d8174bcaced9388307e06abd8e296241708acc91206f26c4e28580491c788a7997f3953668642523

Download Submit
memory/728-50-0x00007FFBF78E0000-0x00007FFBF79D6000-memory.dmp

Filesize
984KB

Download
memory/728-45-0x00007FFBF78E0000-0x00007FFBF79D6000-memory.dmp

Filesize
984KB

Download
memory/728-44-0x0000027B495E0000-0x0000027B495E7000-memory.dmp

Filesize
28KB

Download
memory/1932-8-0x00007FFBF7930000-0x00007FFBF7A26000-memory.dmp

Filesize
984KB

Download
memory/1932-3-0x000001AB58320000-0x000001AB58327000-memory.dmp

Filesize
28KB

Download
memory/1932-0-0x00007FFBF7930000-0x00007FFBF7A26000-memory.dmp

Filesize
984KB

Download
memory/2036-66-0x000001D57F9C0000-0x000001D57F9C7000-memory.dmp

Filesize
28KB

Download
memory/2036-67-0x00007FFBF7930000-0x00007FFBF7A26000-memory.dmp

Filesize
984KB

Download
memory/3444-85-0x00007FFBE9A20000-0x00007FFBE9B17000-memory.dmp

Filesize
988KB

Download
memory/3444-80-0x00007FFBE9A20000-0x00007FFBE9B17000-memory.dmp

Filesize
988KB

Download
memory/3456-24-0x00007FFC07340000-0x00007FFC07350000-memory.dmp

Filesize
64KB

Download
memory/3456-14-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-15-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-16-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-23-0x0000000000AC0000-0x0000000000AC7000-memory.dmp

Filesize
28KB

Download
memory/3456-10-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-22-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-35-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-7-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-13-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-33-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-6-0x00007FFC05E5A000-0x00007FFC05E5B000-memory.dmp

Filesize
4KB

Download
memory/3456-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3456-11-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-9-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3456-12-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download