dridex | 123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.dll
Size

984KB
MD5

f5e2ec95b6d3d591609351b2c32c15fc
SHA1

56ff4415603201d5367280e88348a56f24e4863b
SHA256

123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff
SHA512

ccd2977e2a21ea3f8c0ca0774f84af450813a9b338dcf31e59ae377f7cca9206e64f7be2e756ead7abcc61114b7d1a20480bec7dca56e6252d264fbc824f6fc0
SSDEEP

24576:yWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ijgx:1nuVMK6vx2RsIKNrjE

Score

10^/10

dridex botnet defense_evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3408-5-0x0000000002F10000-0x0000000002F11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4220	Dxpserver.exe
4584	ProximityUxHost.exe
3332	MusNotificationUx.exe

Loads dropped DLL 3 IoCs

pid	Process
4220	Dxpserver.exe
4584	ProximityUxHost.exe
3332	MusNotificationUx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\dlmTDkn47f\\ProximityUxHost.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProximityUxHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 1620	3408	Process not Found	84
PID 3408 wrote to memory of 1620	3408	Process not Found	84
PID 3408 wrote to memory of 4220	3408	Process not Found	85
PID 3408 wrote to memory of 4220	3408	Process not Found	85
PID 3408 wrote to memory of 1272	3408	Process not Found	86
PID 3408 wrote to memory of 1272	3408	Process not Found	86
PID 3408 wrote to memory of 4584	3408	Process not Found	87
PID 3408 wrote to memory of 4584	3408	Process not Found	87
PID 3408 wrote to memory of 3824	3408	Process not Found	88
PID 3408 wrote to memory of 3824	3408	Process not Found	88
PID 3408 wrote to memory of 3332	3408	Process not Found	89
PID 3408 wrote to memory of 3332	3408	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3304

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1620

C:\Users\Admin\AppData\Local\gnYM5\Dxpserver.exe
C:\Users\Admin\AppData\Local\gnYM5\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4220

C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
1⤵
PID:1272

C:\Users\Admin\AppData\Local\7KQ\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\7KQ\ProximityUxHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4584

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:3824

C:\Users\Admin\AppData\Local\ww8sXT\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\ww8sXT\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7KQ\ProximityUxHost.exe

Filesize
263KB

MD5
9ea326415b83d77295c70a35feb75577

SHA1
f8fc6a4f7f97b242f35066f61d305e278155b8a8

SHA256
192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

SHA512
2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

Download Submit
C:\Users\Admin\AppData\Local\7KQ\WINMM.dll

Filesize
992KB

MD5
8ca1e4e258414e16b59075d3bdf17efc

SHA1
11751d684b63cda7f3fe75eff76a89b97015f4d7

SHA256
66a72c84d8dd5024adcac9ad676709d60180aeca2b7f7815b6044962f40829dc

SHA512
aa3c506964e5e6caf0e33cd5ced04e3da7bee1debe2af6d9bc786573b40eff11577dbdfcb288287c1b217fd45be48d6ab2ae47baf76fbcd9343907a54e5478f4

Download Submit
C:\Users\Admin\AppData\Local\gnYM5\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\gnYM5\dwmapi.dll

Filesize
988KB

MD5
f369cabc9dd1f498f06ad113a35c0dfb

SHA1
42c9458d8e346e28fc6069f7aee78ebf8382a9c7

SHA256
03f794b9e9b58f913a514ff2ad588111ca38214417713a1f739214ff7cdb9983

SHA512
10168b3634df41e2544e32336fd8a3efb772c0bafd6de02a12a37875f2b73be302281c5d96b0a7456992100bf0dec181121cef05d02053a7d57d2f4437a0ab96

Download Submit
C:\Users\Admin\AppData\Local\ww8sXT\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\ww8sXT\XmlLite.dll

Filesize
984KB

MD5
d852259e936bf55d3db92816fcbfbecd

SHA1
84c6d9d3e1ed509ca223947f242aff2dfcda875a

SHA256
7f1bc15d2167e01f6f8f2d2419719c77042cf7431077d7f4b2311783f886a028

SHA512
7aa954bd1d85199077b918e0aa79699bf38669f018dd75f57150191f892d7a04d533f7b59743e80139a4658ade17faa30a309e047006f279edb63e041eb1a3bd

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk

Filesize
1KB

MD5
85a01708b44b56053244c4675d7b09de

SHA1
a09b9417f5e3ab0c30aaeae1ac3bbccfa69518e9

SHA256
4ca3a105e69cf5ffe3f283342bea85d865efe37e6f86e39a6a404beb2d05caa5

SHA512
192ae6868996c1b157c3cd846f6ef4e731f5c713d0e11e8cc18d3d343a0fa07ea59af872d3de326e5ddd915803e14bb0bb0b552edaa3c3d740ac96b880dd83e3

Download Submit
memory/3304-11-0x00007FFEBF0D0000-0x00007FFEBF1C6000-memory.dmp

Filesize
984KB

Download
memory/3304-1-0x00007FFEBF0D0000-0x00007FFEBF1C6000-memory.dmp

Filesize
984KB

Download
memory/3304-3-0x000002BEF5EB0000-0x000002BEF5EB7000-memory.dmp

Filesize
28KB

Download
memory/3332-83-0x00007FFEBF0D0000-0x00007FFEBF1C6000-memory.dmp

Filesize
984KB

Download
memory/3408-23-0x0000000001440000-0x0000000001447000-memory.dmp

Filesize
28KB

Download
memory/3408-15-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-13-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-10-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-9-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-8-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-35-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-14-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-16-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-33-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-5-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/3408-12-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-4-0x00007FFECD50A000-0x00007FFECD50B000-memory.dmp

Filesize
4KB

Download
memory/3408-24-0x00007FFECDD00000-0x00007FFECDD10000-memory.dmp

Filesize
64KB

Download
memory/3408-22-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3408-7-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/4220-47-0x0000022F44A60000-0x0000022F44A67000-memory.dmp

Filesize
28KB

Download
memory/4220-50-0x00007FFEBEF20000-0x00007FFEBF017000-memory.dmp

Filesize
988KB

Download
memory/4220-44-0x00007FFEBEF20000-0x00007FFEBF017000-memory.dmp

Filesize
988KB

Download
memory/4584-67-0x00007FFEBED00000-0x00007FFEBEDF8000-memory.dmp

Filesize
992KB

Download
memory/4584-61-0x0000024939E90000-0x0000024939E97000-memory.dmp

Filesize
28KB

Download
memory/4584-62-0x00007FFEBED00000-0x00007FFEBEDF8000-memory.dmp

Filesize
992KB

Download