dridex | 794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2025, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43.dll
Size

780KB
MD5

1554104d7f9db2f8a779405eb5707b9b
SHA1

77434050361476de655662ac77e4543ed387f653
SHA256

794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43
SHA512

f278140c72faf11cf14cfe885016034dd735ad569c8ee5cb9ae4a6d5694e7ed91b491ae02ef9473d1554d2da19292598d44414c1c714b506929be0fb46307ad1
SSDEEP

24576:aWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij+:dnuVMK6vx2RsIKNrj+

Score

10^/10

dridex botnet defense_evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3468-4-0x0000000002480000-0x0000000002481000-memory.dmp	dridex_stager_shellcode

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\IY25qhmWAP0	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\IY25qhmWAP0\XmlLite.dll	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\IY25qhmWAP0\upfc.exe	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
4388	WindowsActionDialog.exe
3516	upfc.exe
3160	WindowsActionDialog.exe

Loads dropped DLL 3 IoCs

pid	Process
4388	WindowsActionDialog.exe
3516	upfc.exe
3160	WindowsActionDialog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jyxkstijatad = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\IY25qhmWAP0\\upfc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1244	3468	Process not Found	87
PID 3468 wrote to memory of 1244	3468	Process not Found	87
PID 3468 wrote to memory of 4388	3468	Process not Found	88
PID 3468 wrote to memory of 4388	3468	Process not Found	88
PID 3468 wrote to memory of 1508	3468	Process not Found	89
PID 3468 wrote to memory of 1508	3468	Process not Found	89
PID 3468 wrote to memory of 3516	3468	Process not Found	90
PID 3468 wrote to memory of 3516	3468	Process not Found	90
PID 3468 wrote to memory of 2316	3468	Process not Found	91
PID 3468 wrote to memory of 2316	3468	Process not Found	91
PID 3468 wrote to memory of 3160	3468	Process not Found	92
PID 3468 wrote to memory of 3160	3468	Process not Found	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Op5LtTU\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\Op5LtTU\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4388

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:1508

C:\Users\Admin\AppData\Local\bqTfCNhX\upfc.exe
C:\Users\Admin\AppData\Local\bqTfCNhX\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3516

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:2316

C:\Users\Admin\AppData\Local\JbUsTTg\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\JbUsTTg\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JbUsTTg\DUI70.dll

Filesize
1.0MB

MD5
0f83cf545952ec3edad3413865568389

SHA1
9e0145d488ac07e9dff151c244c4a156df616344

SHA256
6b2e89e778eb8ac50ab14a7e8156afb92f49dfcc9dcc28f76fea6175a0e826fd

SHA512
d370fd1bf7b921ceae073c634b4a777264cf8aaf3dbb0736a4df42750e0b986e205c7eea5dfa4ccf0bd8859c1b237d414ba59ad39dd1d7d9b41a6d091c46c971

Download Submit
C:\Users\Admin\AppData\Local\Op5LtTU\DUI70.dll

Filesize
1.0MB

MD5
0a2c946dd45777092c5c22c88140c508

SHA1
af9703dec5f315e7ce35afbaac26a60b2ce0c373

SHA256
ed7d3988737413949f935368a342bea618508b47adffe6b5cc811c1dd42ff596

SHA512
5da4cde787a7b8d0dbfacf0ad2474faa13db5e1f932cb8d5cbcfe0b7291a14bf98e516e61973d146e55b0bc827fc596519d4748836ca72f1a657aa1590d0965c

Download Submit
C:\Users\Admin\AppData\Local\Op5LtTU\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\bqTfCNhX\XmlLite.dll

Filesize
780KB

MD5
da4a56a9451f2a4ba7d0eb06d75c2a12

SHA1
64449fbf85cf25468b96b45f09917449da31c439

SHA256
22345be870846457cca3dddb2fba20b2841c15be069adb05ea62f0af653c8944

SHA512
7d00cd7f450d2bd9cd2954de2178bd39433ba8f0780fd35de8dff9a39324701512f82ca6c17fb4620069281fa235904edea012d10606e12b4968ffc6b9cad715

Download Submit
C:\Users\Admin\AppData\Local\bqTfCNhX\upfc.exe

Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Esyosazhkrav.lnk

Filesize
1KB

MD5
68d5be7b25f73edbe694e8880d405dc2

SHA1
bfddfb3275677903a5ede0ff8a3cc1ba4e1ec0ba

SHA256
93e0a85164da9119e427a192a76756c032e73c8ff78029b9c4b5873e84abbe95

SHA512
9c07b1934248f553d0b8f6397d92ef6f9940ce833132d8c9e22c7c5136179ea447fee6827d8f22b1f658ab0161f6f13e4ef35da7704a99404df3b50dc92cec64

Download Submit
memory/3160-83-0x00007FFDBB360000-0x00007FFDBB469000-memory.dmp

Filesize
1.0MB

Download
memory/3468-30-0x00000000022C0000-0x00000000022C7000-memory.dmp

Filesize
28KB

Download
memory/3468-22-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-15-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-13-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-12-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-9-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-8-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-16-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-11-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-7-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-33-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-35-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3468-31-0x00007FFDC9800000-0x00007FFDC9810000-memory.dmp

Filesize
64KB

Download
memory/3468-4-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3468-5-0x00007FFDC966A000-0x00007FFDC966B000-memory.dmp

Filesize
4KB

Download
memory/3468-10-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/3516-66-0x0000020E88F20000-0x0000020E88F27000-memory.dmp

Filesize
28KB

Download
memory/3516-67-0x00007FFDBB3A0000-0x00007FFDBB463000-memory.dmp

Filesize
780KB

Download
memory/3516-61-0x00007FFDBB3A0000-0x00007FFDBB463000-memory.dmp

Filesize
780KB

Download
memory/4388-50-0x00007FFDBB360000-0x00007FFDBB469000-memory.dmp

Filesize
1.0MB

Download
memory/4388-45-0x00007FFDBB360000-0x00007FFDBB469000-memory.dmp

Filesize
1.0MB

Download
memory/4388-44-0x00000217C4DC0000-0x00000217C4DC7000-memory.dmp

Filesize
28KB

Download
memory/4916-14-0x00007FFDBB170000-0x00007FFDBB233000-memory.dmp

Filesize
780KB

Download
memory/4916-1-0x00007FFDBB170000-0x00007FFDBB233000-memory.dmp

Filesize
780KB

Download
memory/4916-0-0x000001A1BAA90000-0x000001A1BAA97000-memory.dmp

Filesize
28KB

Download