dridex | e39f3bcdcae4e78e73305f92a83fb3b4e438ccd669c1692321271d0a8d70d607

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2025 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e39f3bcdcae4e78e73305f92a83fb3b4e438ccd669c1692321271d0a8d70d607.dll
Size

776KB
MD5

57625062489581e062e1dcfcf2e6dddc
SHA1

e04d7fdf4a710f91205a0aff59b5da2196c65154
SHA256

e39f3bcdcae4e78e73305f92a83fb3b4e438ccd669c1692321271d0a8d70d607
SHA512

c9f08913371c44ca7b5173d4522a219ab3e974e326051a2c953ade08e9a031fb2afae99ba506dd304d8b5fe2c1f082317f0dfd93d68a7cd8e155c415fd2bb250
SSDEEP

12288:NGVNJAvuPFUl/faxmVlBLXKCgFfEK7JRLeHlX//ve7Lt:w3JAvRl/fKQKCgFfx4P/vaLt

Score

10^/10

dridex botnet defense_evasion discovery payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3440-4-0x0000000002CC0000-0x0000000002CC1000-memory.dmp	dridex_stager_shellcode

Downloads MZ/PE file 1 IoCs

flow	pid	Process
53	1960	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
3136	FXSCOVER.exe
4924	OptionalFeatures.exe
5080	SystemPropertiesProtection.exe

Loads dropped DLL 3 IoCs

pid	Process
3136	FXSCOVER.exe
4924	OptionalFeatures.exe
5080	SystemPropertiesProtection.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ydthngh = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\iQXkUZ\\OPTION~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4956	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3464	rundll32.exe
3440	Process not Found
3136	FXSCOVER.exe
4924	OptionalFeatures.exe
5080	SystemPropertiesProtection.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3484	3440	Process not Found	90
PID 3440 wrote to memory of 3484	3440	Process not Found	90
PID 3440 wrote to memory of 3136	3440	Process not Found	91
PID 3440 wrote to memory of 3136	3440	Process not Found	91
PID 3440 wrote to memory of 2844	3440	Process not Found	92
PID 3440 wrote to memory of 2844	3440	Process not Found	92
PID 3440 wrote to memory of 4924	3440	Process not Found	93
PID 3440 wrote to memory of 4924	3440	Process not Found	93
PID 3440 wrote to memory of 4124	3440	Process not Found	94
PID 3440 wrote to memory of 4124	3440	Process not Found	94
PID 3440 wrote to memory of 5080	3440	Process not Found	95
PID 3440 wrote to memory of 5080	3440	Process not Found	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e39f3bcdcae4e78e73305f92a83fb3b4e438ccd669c1692321271d0a8d70d607.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3464

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:3484

C:\Users\Admin\AppData\Local\loXtem\FXSCOVER.exe
C:\Users\Admin\AppData\Local\loXtem\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3136

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Local\ejvq7w0KF\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\ejvq7w0KF\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:4924

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:4124

C:\Users\Admin\AppData\Local\evUR4\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\evUR4\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:5080

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUMzQkE1RkMtMDhEMS00QTJGLUJBQzctRDgxMzIxNzk5NDcxfSIgdXNlcmlkPSJ7QTY3NkY1QjMtRUFDQi00Njk5LUE1MjMtQzcyMzE1NzdCNzFBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjdDQjE3NEUtREZERS00RjU2LTkwOTgtQUZFQzMwOUUzMTYzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzY2MTI2NzAyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ejvq7w0KF\OptionalFeatures.exe

Filesize
110KB

MD5
d6cd8bef71458804dbc33b88ace56372

SHA1
a18b58445be2492c5d37abad69b5aa0d29416a60

SHA256
fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

SHA512
1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

Download Submit
C:\Users\Admin\AppData\Local\ejvq7w0KF\appwiz.cpl

Filesize
780KB

MD5
65b8d747bbe793b82aa637cd48fc3a97

SHA1
539bfab1cd04d9549be9e759eec4a819936ecfb4

SHA256
6f4118fc2b6b0da293d22aaf8ff792937b3c807e1cec432111f3c8dd09f94cdf

SHA512
b4fcd0f2ce4b21042cdfe98206d1352e0248d1c13b452a2bd84cc420c4569bb6cd586b4163b007aac4f6df3d62ff65abe94146d901434a84e014103a5ca74eb7

Download Submit
C:\Users\Admin\AppData\Local\evUR4\SYSDM.CPL

Filesize
780KB

MD5
6c95a4be8fab1d1da4ffc384d4fa163f

SHA1
0f89c4217fc226b4596533f6f632261cb25dc087

SHA256
c9359c0920b9c8cee37293f6c3fa53792fd2c39f5dd9b9e090a1b250817981f0

SHA512
88eba482754541be6f32e634214b8010641a45990adbadcb7afb4fec09bf7ade7631a25e208272172418bc00c82ad13417529e15cc42ed0a83a22f44cbf1870c

Download Submit
C:\Users\Admin\AppData\Local\evUR4\SystemPropertiesProtection.exe

Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
C:\Users\Admin\AppData\Local\loXtem\FXSCOVER.exe

Filesize
242KB

MD5
5769f78d00f22f76a4193dc720d0b2bd

SHA1
d62b6cab057e88737cba43fe9b0c6d11a28b53e8

SHA256
40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

SHA512
b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

Download Submit
C:\Users\Admin\AppData\Local\loXtem\MFC42u.dll

Filesize
804KB

MD5
3cc8a05d9ce93d0996e86338ef940d8b

SHA1
cbe8c149f8f32a95f1a83192ce744b8e99a0041a

SHA256
c5616a2216ecaed95e3d3ca83dc6a29dcdcf90d8ffefdb7e8af1b4059ed5d3cf

SHA512
5b770eb2d5156818f4d2cda257f065c3b9c321661bcf87fe5dede095cb9ed8adf37a0350ffa9625756c2f56185419f8d50fbd7d81f624662f2f90d859052cb13

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmshylvlmitp.lnk

Filesize
1KB

MD5
f1eedf81c76178b9648d594b0cae9673

SHA1
cd3fd5c6f4c853c50dae44bda9a7bc63c1aaad75

SHA256
837ca88df78e8cb37d7f121f7a9e085723f492dbcb054a15e24a4ee13b26ffc5

SHA512
a648422e68f7786d6b9e1608c9e4c6e68cca29e46e4cbdb13db2577762c4e1a7107ee280a9a9cb24f99fe06771f6ff57f583cb842d91b575fa984ecb82299b4c

Download Submit
memory/3136-49-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3136-43-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3136-46-0x000002AEBDA60000-0x000002AEBDA67000-memory.dmp

Filesize
28KB

Download
memory/3440-33-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-8-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-6-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-12-0x00007FF9EC7DA000-0x00007FF9EC7DB000-memory.dmp

Filesize
4KB

Download
memory/3440-4-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/3440-34-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-7-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-11-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-9-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-10-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-13-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-20-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3440-24-0x0000000000EC0000-0x0000000000EC7000-memory.dmp

Filesize
28KB

Download
memory/3440-25-0x00007FF9EE4C0000-0x00007FF9EE4D0000-memory.dmp

Filesize
64KB

Download
memory/3464-0-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3464-21-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3464-3-0x0000020801C30000-0x0000020801C37000-memory.dmp

Filesize
28KB

Download
memory/4924-61-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/4924-66-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/4924-60-0x000002CDBBBD0000-0x000002CDBBBD7000-memory.dmp

Filesize
28KB

Download
memory/5080-77-0x0000014AC6690000-0x0000014AC6697000-memory.dmp

Filesize
28KB

Download
memory/5080-83-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download