dridex | afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9N.dll
Size

780KB
MD5

3caa124004a7de62cdbcb2c165e57610
SHA1

9e023d9ad84bc5fe1dee5399d4f7772bf11cae61
SHA256

afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9
SHA512

5368089956fb170ed6cf04d4172843dbe0250484905b3d33d844fbe74bc503873802dadb167aea0d66198e40a8e90ad96cbe3937b6cb930c418c63edc739f4aa
SSDEEP

24576:aWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij:dnuVMK6vx2RsIKNrj

Score

10^/10

dridex botnet defense_evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002E70000-0x0000000002E71000-memory.dmp	dridex_stager_shellcode

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6Bgr\UxTheme.dll	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6Bgr\msdt.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6Bgr	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
796	javaws.exe
1704	msdt.exe
2120	BitLockerWizardElev.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
796	javaws.exe
1196	Process not Found
1704	msdt.exe
1196	Process not Found
2120	BitLockerWizardElev.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uuyszikihxbb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\6Bgr\\msdt.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	rundll32.exe
2848	rundll32.exe
2848	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2576	1196	Process not Found	30
PID 1196 wrote to memory of 2576	1196	Process not Found	30
PID 1196 wrote to memory of 2576	1196	Process not Found	30
PID 1196 wrote to memory of 796	1196	Process not Found	31
PID 1196 wrote to memory of 796	1196	Process not Found	31
PID 1196 wrote to memory of 796	1196	Process not Found	31
PID 1196 wrote to memory of 376	1196	Process not Found	32
PID 1196 wrote to memory of 376	1196	Process not Found	32
PID 1196 wrote to memory of 376	1196	Process not Found	32
PID 1196 wrote to memory of 1704	1196	Process not Found	33
PID 1196 wrote to memory of 1704	1196	Process not Found	33
PID 1196 wrote to memory of 1704	1196	Process not Found	33
PID 1196 wrote to memory of 2920	1196	Process not Found	34
PID 1196 wrote to memory of 2920	1196	Process not Found	34
PID 1196 wrote to memory of 2920	1196	Process not Found	34
PID 1196 wrote to memory of 2120	1196	Process not Found	35
PID 1196 wrote to memory of 2120	1196	Process not Found	35
PID 1196 wrote to memory of 2120	1196	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9N.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:2576

C:\Users\Admin\AppData\Local\FwmOVu\javaws.exe
C:\Users\Admin\AppData\Local\FwmOVu\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:796

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:376

C:\Users\Admin\AppData\Local\5US\msdt.exe
C:\Users\Admin\AppData\Local\5US\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1704

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2920

C:\Users\Admin\AppData\Local\cAU0\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\cAU0\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5US\UxTheme.dll

Filesize
784KB

MD5
f2bdc5b037f194b8e6f05c0811afdc86

SHA1
93be58bc0d3048574b0533401548e9f68c2ac61f

SHA256
99baf245c34214c6064391fa6f54797a00080f413bbb89dde3560f85fabed8e2

SHA512
fc3f07ac979942ea08cb4832da66ee2b2b846ee5a65a4374d394c11af4852d8181a0472eb68cd874f576e319ee7139fe2470c139b7d2d0b5e604935dacf8247d

Download Submit
C:\Users\Admin\AppData\Local\FwmOVu\VERSION.dll

Filesize
780KB

MD5
0732baaf249111e4292c0dd34a226271

SHA1
d2eec50679cc428256845dda769340e6654d02e5

SHA256
2bfd746b91f198526e3d4fe884868a30ab27c8de289e8313aaad846c62df24ff

SHA512
dd5b02c547492e6170763cbcd2d902b0f96bafbf3961a7163a0d8cae915eea680b253518dcfb90351d9daaf132b192f64cf97df8082bfe71c99b1449b25ace77

Download Submit
C:\Users\Admin\AppData\Local\cAU0\FVEWIZ.dll

Filesize
784KB

MD5
e6b24a250eb85d2ccd37346cc6efb1ba

SHA1
2344bf4481e3ed0797949d6b6e246f4207522233

SHA256
82979e82e765a2b9df21da38e67382424a7f9b7f9d38be96b3c6ca7eefc3475d

SHA512
a239768aeab6f7ff6fdffe75dd08842725b9d3f44872c86bb517ba39b5ee16b5338f1598da9b018f85c767f24a5672f3db1fb64055c8934f6f9a1d11b0d704b1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk

Filesize
1KB

MD5
32f42047915c0126378cf9ac0955bdd2

SHA1
df546f2a65bd409d834e65ff3019e22822b16f6e

SHA256
72cff30c93845747c3d6d06751414111a3876e381fc6708dde3491a7081dc07d

SHA512
22909cf070e35011d087bdcb2d4fe5ef014f28ae982720fdfe43d7207cd141ed64dfbcb6c3b98d761b6d32435406782bb28db238dca03136402d56cc03aac391

Download Submit
\Users\Admin\AppData\Local\5US\msdt.exe

Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\FwmOVu\javaws.exe

Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
\Users\Admin\AppData\Local\cAU0\BitLockerWizardElev.exe

Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
memory/796-55-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/796-58-0x000007FEF64E0000-0x000007FEF65A3000-memory.dmp

Filesize
780KB

Download
memory/796-52-0x000007FEF64E0000-0x000007FEF65A3000-memory.dmp

Filesize
780KB

Download
memory/1196-15-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-24-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/1196-12-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-105-0x0000000076B36000-0x0000000076B37000-memory.dmp

Filesize
4KB

Download
memory/1196-10-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-9-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-8-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-25-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

Filesize
8KB

Download
memory/1196-34-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-40-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-43-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-14-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-4-0x0000000076B36000-0x0000000076B37000-memory.dmp

Filesize
4KB

Download
memory/1196-13-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-23-0x0000000002990000-0x0000000002997000-memory.dmp

Filesize
28KB

Download
memory/1196-17-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-22-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1196-5-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1196-7-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1704-76-0x000007FEF5E50000-0x000007FEF5F14000-memory.dmp

Filesize
784KB

Download
memory/1704-75-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1704-70-0x000007FEF5E50000-0x000007FEF5F14000-memory.dmp

Filesize
784KB

Download
memory/2120-93-0x000007FEF5E50000-0x000007FEF5F14000-memory.dmp

Filesize
784KB

Download
memory/2848-3-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/2848-11-0x000007FEF6410000-0x000007FEF64D3000-memory.dmp

Filesize
780KB

Download
memory/2848-0-0x000007FEF6410000-0x000007FEF64D3000-memory.dmp

Filesize
780KB

Download