dridex | 24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359d

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359dN.dll
Size

780KB
MD5

523e161e7f0441375283519de5dd1640
SHA1

18317845671b0ed94fa1b4633d673c55193e39ad
SHA256

24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359d
SHA512

1556e848fa07d1dc24ca516313c1479dddcd527246df26ddf1dcb01cc8e8a98caf37879c01b4472d93115575791366984f93d401f6ea9047153ab99c8e080b57
SSDEEP

12288:obP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQ:obe42XV7KWgmjDR/T4a/Mdjm

Score

10^/10

dridex botnet defense_evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002E70000-0x0000000002E71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2920	Magnify.exe
2636	unregmp2.exe
2504	sdclt.exe

Loads dropped DLL 7 IoCs

pid	Process
1204	Process not Found
2920	Magnify.exe
1204	Process not Found
2636	unregmp2.exe
1204	Process not Found
2504	sdclt.exe
1204	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uuyszikihxbb = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\zncF\\unregmp2.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
752	rundll32.exe
752	rundll32.exe
752	rundll32.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2760	1204	Process not Found	31
PID 1204 wrote to memory of 2760	1204	Process not Found	31
PID 1204 wrote to memory of 2760	1204	Process not Found	31
PID 1204 wrote to memory of 2920	1204	Process not Found	32
PID 1204 wrote to memory of 2920	1204	Process not Found	32
PID 1204 wrote to memory of 2920	1204	Process not Found	32
PID 1204 wrote to memory of 2880	1204	Process not Found	33
PID 1204 wrote to memory of 2880	1204	Process not Found	33
PID 1204 wrote to memory of 2880	1204	Process not Found	33
PID 1204 wrote to memory of 2636	1204	Process not Found	34
PID 1204 wrote to memory of 2636	1204	Process not Found	34
PID 1204 wrote to memory of 2636	1204	Process not Found	34
PID 1204 wrote to memory of 2692	1204	Process not Found	35
PID 1204 wrote to memory of 2692	1204	Process not Found	35
PID 1204 wrote to memory of 2692	1204	Process not Found	35
PID 1204 wrote to memory of 2504	1204	Process not Found	36
PID 1204 wrote to memory of 2504	1204	Process not Found	36
PID 1204 wrote to memory of 2504	1204	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359dN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:2760

C:\Users\Admin\AppData\Local\BNIGNAH\Magnify.exe
C:\Users\Admin\AppData\Local\BNIGNAH\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2920

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:2880

C:\Users\Admin\AppData\Local\7bMK5\unregmp2.exe
C:\Users\Admin\AppData\Local\7bMK5\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2692

C:\Users\Admin\AppData\Local\i7IeWAnN\sdclt.exe
C:\Users\Admin\AppData\Local\i7IeWAnN\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7bMK5\unregmp2.exe

Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
C:\Users\Admin\AppData\Local\BNIGNAH\Magnify.exe

Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
C:\Users\Admin\AppData\Local\BNIGNAH\dwmapi.dll

Filesize
780KB

MD5
cf8c1ed060ad4a0f72ee7f10919b9e70

SHA1
443f277c41e16edae26364e71bc753f0c36decef

SHA256
dd5a03ca528414637120eb3639acb1602254df699b58583a2e6b6940a2a9e4d7

SHA512
dbfbaf57a5d7fabba8740d73558ccf55e40234a003ee19bf79074bfea05793958e09f3cd90c5ce4309d28fec7795a067bd7ef6eadfac78c879c0a166aba94587

Download Submit
C:\Users\Admin\AppData\Local\i7IeWAnN\WTSAPI32.dll

Filesize
784KB

MD5
c5b604bc56bbf625066cd540be6d296b

SHA1
b83700b7ae11af6241a3cbb4ce1b53fee1759fe6

SHA256
ab5d16098110f1d88eafb16d451a4620e986e4fda2cb7ce7d101b1b85d0e7e75

SHA512
7837dbec399c0fcc3c0eaed8b6287c0dddd85e50012aa5ca4e073adb4173fdf95a58dfdfcef16339c0fe43050ec36205f4ac408074a797c79fd8c0e1874ba7cf

Download Submit
C:\Users\Admin\AppData\Local\i7IeWAnN\sdclt.exe

Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk

Filesize
1KB

MD5
96168eff7d83670073ac71aaa8b0ad6d

SHA1
21b1ffe2bff0086e6a17b181bee843bb9fcded98

SHA256
8edb32d00febda0fa6117bfc02afdcc2fc8ddd59142b27d6f7ec6e1f5cee7967

SHA512
cf6b7ad37c6dfcb3a8b15517bdeed222709c73c6c53cf3d3f6d233922feb348b88dfd21b10c2b620d43ffe3e1ab1a4df62630cb39b70c1d18326a794b65c146e

Download Submit
\Users\Admin\AppData\Local\7bMK5\VERSION.dll

Filesize
780KB

MD5
821851ee9d9b0f396aa16dd322a72dae

SHA1
3860001bcc477463bd934fe94b668e48f9473bed

SHA256
d7846e1c3920be20a20491aac3c4b392b706e33e4aca53d784105e580004c0e3

SHA512
e7a722cbc834830458b9f301ca2cac67949926a97c7c2a56758c8ad53f1bfb4ab2ccdb7c621fc0f1b7fcf5e47745d87cc4440cfd8d0e617406619d088111299f

Download Submit
memory/752-11-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/752-0-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/752-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1204-14-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-5-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1204-10-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-9-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-8-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-7-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-27-0x00000000779C0000-0x00000000779C2000-memory.dmp

Filesize
8KB

Download
memory/1204-34-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-39-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-38-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-13-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-15-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-4-0x0000000077756000-0x0000000077757000-memory.dmp

Filesize
4KB

Download
memory/1204-107-0x0000000077756000-0x0000000077757000-memory.dmp

Filesize
4KB

Download
memory/1204-24-0x0000000077861000-0x0000000077862000-memory.dmp

Filesize
4KB

Download
memory/1204-12-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/1204-23-0x0000000002E50000-0x0000000002E57000-memory.dmp

Filesize
28KB

Download
memory/1204-22-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2504-93-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/2504-88-0x0000000140000000-0x00000001400C4000-memory.dmp

Filesize
784KB

Download
memory/2504-87-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2636-75-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download
memory/2636-73-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2920-57-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download
memory/2920-58-0x0000000140000000-0x00000001400C3000-memory.dmp

Filesize
780KB

Download