dridex | 48ea1383f689277896530bfa764b94ad28d613fa038c3e418d0f53b4d9b30fa5

Analysis

max time kernel
70s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2025, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48ea1383f689277896530bfa764b94ad28d613fa038c3e418d0f53b4d9b30fa5.dll
Size

780KB
MD5

8af03012f1ac4220846c9fff35b62bfc
SHA1

689874bf9fceea26456670698904b4e29efaf6a1
SHA256

48ea1383f689277896530bfa764b94ad28d613fa038c3e418d0f53b4d9b30fa5
SHA512

6fe0e95d527709523be2099e2aab9ee2b6d82f1490451b4eda49b7bef3a85a8afb8fa543d334f2a7327e7e64809ca75cd2ea9713773c05bc9a979c4a354660b1
SSDEEP

12288:obP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQw:obe42XV7KWgmjDR/T4a/Mdjm1

Score

10^/10

dridex botnet defense_evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3380-4-0x00000000053E0000-0x00000000053E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2220	slui.exe
4160	CloudNotifications.exe
1152	AgentService.exe

Loads dropped DLL 3 IoCs

pid	Process
2220	slui.exe
4160	CloudNotifications.exe
1152	AgentService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zamtnersbcm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\RzmIsRa\\wQiTYf\\CloudNotifications.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2772	rundll32.exe
2772	rundll32.exe
2772	rundll32.exe
2772	rundll32.exe
2772	rundll32.exe
2772	rundll32.exe
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found
Token: SeShutdownPrivilege	3380	Process not Found
Token: SeCreatePagefilePrivilege	3380	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 2996	3380	Process not Found	91
PID 3380 wrote to memory of 2996	3380	Process not Found	91
PID 3380 wrote to memory of 2220	3380	Process not Found	92
PID 3380 wrote to memory of 2220	3380	Process not Found	92
PID 3380 wrote to memory of 2164	3380	Process not Found	93
PID 3380 wrote to memory of 2164	3380	Process not Found	93
PID 3380 wrote to memory of 4160	3380	Process not Found	94
PID 3380 wrote to memory of 4160	3380	Process not Found	94
PID 3380 wrote to memory of 912	3380	Process not Found	95
PID 3380 wrote to memory of 912	3380	Process not Found	95
PID 3380 wrote to memory of 1152	3380	Process not Found	96
PID 3380 wrote to memory of 1152	3380	Process not Found	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48ea1383f689277896530bfa764b94ad28d613fa038c3e418d0f53b4d9b30fa5.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2996

C:\Users\Admin\AppData\Local\BixnPjihE\slui.exe
C:\Users\Admin\AppData\Local\BixnPjihE\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2220

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:2164

C:\Users\Admin\AppData\Local\7Kj6\CloudNotifications.exe
C:\Users\Admin\AppData\Local\7Kj6\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4160

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:912

C:\Users\Admin\AppData\Local\lgZ\AgentService.exe
C:\Users\Admin\AppData\Local\lgZ\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7Kj6\CloudNotifications.exe

Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\7Kj6\UxTheme.dll

Filesize
784KB

MD5
436f37f8b74df705847275325d794320

SHA1
61dcff39365c817ba561a109bd19e3dc19dc8062

SHA256
e198da4af8e404a64b953d9f7c8bbd8661e538575654a481f2c7e9b5d41f7393

SHA512
51ebe475baf044075a5fa367bcda3f9361c82953852a60e5ba3807536f544c133f88310440a488dfd363fd2c358a780fca392cdb469075e9346412585669f1eb

Download Submit
C:\Users\Admin\AppData\Local\BixnPjihE\SLC.dll

Filesize
784KB

MD5
a252d1181e0b83679976ce38eea57628

SHA1
0bbed12e582e1c16b4ac750bd1157e6c601c4dec

SHA256
1dfd2fdb701c2f1628a7a0673d865aa19a39dcd633e939b4274a421cdd79d56d

SHA512
5044d89a2e28530bbd874af7b610eb6bcb7508d45c70989423b4c902de08314574b647ef473dda54266868a63f429c41016dac6abd3d0a6f30eba6801d3f418d

Download Submit
C:\Users\Admin\AppData\Local\BixnPjihE\slui.exe

Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Local\lgZ\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Local\lgZ\VERSION.dll

Filesize
780KB

MD5
0fc4f82be7c44993218495911355ef9b

SHA1
23d8dad415432b0a405c38e336e731045609927e

SHA256
ad1f56cf294cc98fcbf62b4c6a9d70661d670c559910ef44ba796e3ae0d260f6

SHA512
c978f40082ec28194a2f99e8720c81eb08e73f9bb8497464dd495af9ff259c9baecd8be4ad592b8499bcf5c5e47542c691d1b5a2d2114cb28171715dc9e26667

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tlxzoh.lnk

Filesize
758B

MD5
1518023fe56e8ae09fa36048e322846f

SHA1
95bf10047b550ed78b2b09ebe275b50b6d5a85e1

SHA256
a49a87715680733bd79aaa3610f0b21eacef0dbf3ffc462bb62f5bbf21d877eb

SHA512
ae8d05d04a6e6fbee2e6dc4e8f957441cce999ae1c28620e2eb80eab918b5dc46b100d987d302ca5330cd60d3469c51e226ae44f7152752ac771daf4201df5dd

Download Submit
memory/1152-78-0x000001B03ED70000-0x000001B03ED77000-memory.dmp

Filesize
28KB

Download
memory/1152-84-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2220-49-0x000001F185950000-0x000001F185957000-memory.dmp

Filesize
28KB

Download
memory/2220-50-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/2220-44-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/2772-10-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2772-0-0x000002D9D28B0000-0x000002D9D28B7000-memory.dmp

Filesize
28KB

Download
memory/2772-1-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-14-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-33-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-13-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-11-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-23-0x0000000003220000-0x0000000003227000-memory.dmp

Filesize
28KB

Download
memory/3380-22-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-15-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-35-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-12-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-24-0x00007FFBB4F60000-0x00007FFBB4F70000-memory.dmp

Filesize
64KB

Download
memory/3380-9-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-4-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3380-8-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-7-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3380-5-0x00007FFBB389A000-0x00007FFBB389B000-memory.dmp

Filesize
4KB

Download
memory/4160-67-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/4160-61-0x00000176D2750000-0x00000176D2757000-memory.dmp

Filesize
28KB

Download