dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

13-05-2024 17:36

12-05-2024 17:17

12-05-2024 16:15

10-05-2024 18:05

10-05-2024 17:48

Analysis

max time kernel
1799s
max time network
1169s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral11/memory/3504-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 4 IoCs

Processes:

dxgiadaptercache.exePresentationSettings.exeie4ushowIE.exeDXGIAD~1.EXE

pid process

2704 dxgiadaptercache.exe
3960 PresentationSettings.exe
4948 ie4ushowIE.exe
324 DXGIAD~1.EXE
Loads dropped DLL 5 IoCs

Processes:

dxgiadaptercache.exePresentationSettings.exeie4ushowIE.exeDXGIAD~1.EXE

pid process

2704 dxgiadaptercache.exe
2704 dxgiadaptercache.exe
3960 PresentationSettings.exe
4948 ie4ushowIE.exe
324 DXGIAD~1.EXE

resource	yara_rule
behavioral11/memory/3504-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp	dridex_stager_shellcode

pid	process
2704	dxgiadaptercache.exe
3960	PresentationSettings.exe
4948	ie4ushowIE.exe
324	DXGIAD~1.EXE

pid	process
2704	dxgiadaptercache.exe
2704	dxgiadaptercache.exe
3960	PresentationSettings.exe
4948	ie4ushowIE.exe
324	DXGIAD~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\76ekuYDj0\\PresentationSettings.exe"

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PresentationSettings.exeie4ushowIE.exeDXGIAD~1.EXErundll32.exedxgiadaptercache.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DXGIAD~1.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3504

pid	process
3504

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3504 wrote to memory of 4496	3504	dxgiadaptercache.exe
PID 3504 wrote to memory of 4496	3504	dxgiadaptercache.exe
PID 3504 wrote to memory of 2704	3504	dxgiadaptercache.exe
PID 3504 wrote to memory of 2704	3504	dxgiadaptercache.exe
PID 3504 wrote to memory of 4120	3504	PresentationSettings.exe
PID 3504 wrote to memory of 4120	3504	PresentationSettings.exe
PID 3504 wrote to memory of 3960	3504	PresentationSettings.exe
PID 3504 wrote to memory of 3960	3504	PresentationSettings.exe
PID 3504 wrote to memory of 4056	3504	ie4ushowIE.exe
PID 3504 wrote to memory of 4056	3504	ie4ushowIE.exe
PID 3504 wrote to memory of 4948	3504	ie4ushowIE.exe
PID 3504 wrote to memory of 4948	3504	ie4ushowIE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:4496

C:\Users\Admin\AppData\Local\P4gduMv\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\P4gduMv\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2704

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:4120

C:\Users\Admin\AppData\Local\jhwr2TV\PresentationSettings.exe
C:\Users\Admin\AppData\Local\jhwr2TV\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3960

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:4056

C:\Users\Admin\AppData\Local\OWa6LcD\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\OWa6LcD\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4948

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\dV2L\DXGIAD~1.EXE
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\dV2L\DXGIAD~1.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:324

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OWa6LcD\VERSION.dll
Filesize
1.2MB

MD5
00a29950e43a23fa3ef67282fc19ed3b

SHA1
efd13d7eb01a723140c46509c85a79f7e5abb3ba

SHA256
ca411affc688eaa9f4b02a2e60d40ad31366da0aec9b60e8f5bb6d5b0f02ac20

SHA512
bad81d8eab4bb25a20aa7da1ddb6dd711c5e065c47de2e4e220572883431a8750d7e6beebe0146f60017590f01546bfc363640a490b6cf9ecb309c4dd8aa9c82

Download Submit
C:\Users\Admin\AppData\Local\OWa6LcD\ie4ushowIE.exe
Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\P4gduMv\dxgi.dll
Filesize
1.2MB

MD5
85f6c7be10818a1ae96b95de94d2e952

SHA1
1d04e16490a820b0d9e2f98e45533fd6633a54c8

SHA256
1a1b19a3a9a889423fde60a5f1cc319a565f24599335f37c95298e5a943acdfb

SHA512
99dabbca42a74b73a8af2785a85ef9f577fab722b316a279bb378896a6fc03ff5fce6b4c346f2507877bc97a008828b7fb182a5e398f8fb81377030da8d644e5

Download Submit
C:\Users\Admin\AppData\Local\P4gduMv\dxgiadaptercache.exe
Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\jhwr2TV\PresentationSettings.exe
Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\jhwr2TV\WINMM.dll
Filesize
1.2MB

MD5
b0701cfce43de560e314fcc304ac09d0

SHA1
c405db853e38b9696d2d2bfc7550fda50052e4e2

SHA256
e90902f569d59630b7c33588b1ace7ba8c6a5b067fb888cf48a0bdc546169d2f

SHA512
0c2492e3d239d3a1c3a74147ad665a4317bb27d99f471b9c674e3dd9f8b5aaf70cbca985f7fce480930dfeb621af267d23bd0bf4472fa014e70d3fc7b6a8a8a8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk
Filesize
1KB

MD5
352348f5ed52bac303934a9afcb68de6

SHA1
c3c4c65dff43a8dc8d3800b55c6a5f7d1ab28890

SHA256
12528902ff86377d492151bacb95d640cd132c6323a93fd4f86b66b7cd1bf865

SHA512
78e7287fec38b69d77749e3a09a6ad414d9003a4a5c77668c1cec17737398f7c207d21605b907567ef1556a4432b0cdadb0eeef558c40d6e9f2f0248445c5001

Download Submit
memory/224-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/224-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/224-3-0x0000024AD9490000-0x0000024AD9497000-memory.dmp

Filesize
28KB

Download
memory/324-566-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2704-56-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2704-47-0x0000017BD7660000-0x0000017BD77A4000-memory.dmp

Filesize
1.3MB

Download
memory/2704-48-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2704-51-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2704-52-0x0000017BD8F40000-0x0000017BD8F47000-memory.dmp

Filesize
28KB

Download
memory/3504-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-29-0x0000000000F00000-0x0000000000F07000-memory.dmp

Filesize
28KB

Download
memory/3504-30-0x00007FF91D730000-0x00007FF91D740000-memory.dmp

Filesize
64KB

Download
memory/3504-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3504-6-0x00007FF91B9EA000-0x00007FF91B9EB000-memory.dmp

Filesize
4KB

Download
memory/3504-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/3960-75-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3960-71-0x0000020471A60000-0x0000020471A67000-memory.dmp

Filesize
28KB

Download
memory/3960-68-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3960-67-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4948-90-0x000001B9582C0000-0x000001B9582C7000-memory.dmp

Filesize
28KB

Download
memory/4948-89-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4948-94-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download