dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

13-05-2024 17:36

12-05-2024 17:17

12-05-2024 16:15

10-05-2024 18:05

10-05-2024 17:48

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral22/memory/3424-4-0x00000000033A0000-0x00000000033A1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

RdpSa.exeDeviceEnroller.exeraserver.exe

pid process

968 RdpSa.exe
5000 DeviceEnroller.exe
3756 raserver.exe
Loads dropped DLL 3 IoCs

Processes:

RdpSa.exeDeviceEnroller.exeraserver.exe

pid process

968 RdpSa.exe
5000 DeviceEnroller.exe
3756 raserver.exe

resource	yara_rule
behavioral22/memory/3424-4-0x00000000033A0000-0x00000000033A1000-memory.dmp	dridex_stager_shellcode

pid	process
968	RdpSa.exe
5000	DeviceEnroller.exe
3756	raserver.exe

pid	process
968	RdpSa.exe
5000	DeviceEnroller.exe
3756	raserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihmks = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\8kEo\\DeviceEnroller.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeRdpSa.exeDeviceEnroller.exeraserver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3956	rundll32.exe
3956	rundll32.exe
3956	rundll32.exe
3956	rundll32.exe
3956	rundll32.exe
3956	rundll32.exe
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3424
Token: SeCreatePagefilePrivilege 3424
Token: SeShutdownPrivilege 3424
Token: SeCreatePagefilePrivilege 3424
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3424

description	pid	process
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424

pid	process
3424

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3424 wrote to memory of 4516	3424	RdpSa.exe
PID 3424 wrote to memory of 4516	3424	RdpSa.exe
PID 3424 wrote to memory of 968	3424	RdpSa.exe
PID 3424 wrote to memory of 968	3424	RdpSa.exe
PID 3424 wrote to memory of 2036	3424	DeviceEnroller.exe
PID 3424 wrote to memory of 2036	3424	DeviceEnroller.exe
PID 3424 wrote to memory of 5000	3424	DeviceEnroller.exe
PID 3424 wrote to memory of 5000	3424	DeviceEnroller.exe
PID 3424 wrote to memory of 3216	3424	raserver.exe
PID 3424 wrote to memory of 3216	3424	raserver.exe
PID 3424 wrote to memory of 3756	3424	raserver.exe
PID 3424 wrote to memory of 3756	3424	raserver.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3956

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:4516

C:\Users\Admin\AppData\Local\wMyXxjwax\RdpSa.exe
C:\Users\Admin\AppData\Local\wMyXxjwax\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:968

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:2036

C:\Users\Admin\AppData\Local\DchAUp\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\DchAUp\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5000

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:3216

C:\Users\Admin\AppData\Local\t7Quve9c\raserver.exe
C:\Users\Admin\AppData\Local\t7Quve9c\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3756

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DchAUp\DeviceEnroller.exe
Filesize
448KB

MD5
946d9474533f58d2613078fd14ca7473

SHA1
c2620ac9522fa3702a6a03299b930d6044aa5e49

SHA256
cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

SHA512
3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

Download Submit
C:\Users\Admin\AppData\Local\DchAUp\XmlLite.dll
Filesize
1.2MB

MD5
6416b738d57134b6ae8fe8a4b84b9e09

SHA1
5a02b350ea879cf2953553a0a2302b1f11bb828b

SHA256
ecc360a89911e94c098d0fff2486c682f0ae01785ba41342f7200d19367f3495

SHA512
e3a6c084829d24fcb0189b99796d2bb4f2fb07b7cc6cf783a9e08398705dd3274f46508cd83600fb8f51885971d690c6bd733ef3b32fbbd4dbddba7fa4aa756e

Download Submit
C:\Users\Admin\AppData\Local\t7Quve9c\WTSAPI32.dll
Filesize
1.2MB

MD5
8eaf7f0e8092b2cf7733d8bde0432ad4

SHA1
cc940fc93735726abc5be709f218d65bc10cc40b

SHA256
056a70daadd5e3e4bf47c330b78ef49a6299ff7ec2486a1fbdeba7ecac629aca

SHA512
b916a7f2f32c40f54356350a686c3898ddbc4ed60011742cc02c641ee9abc64828e5371f87c8cd8a631ba1258f200dca4bcc955441990eb2b155ab546d6f3ca5

Download Submit
C:\Users\Admin\AppData\Local\t7Quve9c\raserver.exe
Filesize
132KB

MD5
d1841c6ee4ea45794ced131d4b68b60e

SHA1
4be6d2116060d7c723ac2d0b5504efe23198ea01

SHA256
38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

SHA512
d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

Download Submit
C:\Users\Admin\AppData\Local\wMyXxjwax\RdpSa.exe
Filesize
56KB

MD5
5992f5b5d0b296b83877da15b54dd1b4

SHA1
0d87be8d4b7aeada4b55d1d05c0539df892f8f82

SHA256
32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

SHA512
4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

Download Submit
C:\Users\Admin\AppData\Local\wMyXxjwax\WINSTA.dll
Filesize
1.2MB

MD5
0dcb83d44f3bcb33d09a00417e0ec0b5

SHA1
f6aadc850175d88dd4a3f2125935accc9ae6b6b2

SHA256
e3d69079971cd152bec145cf6adb828617a0c6537cdaf743c6118919a70ab134

SHA512
9ee916ea09919ae58c4c3ac70189880ee4a7670320d535aa3e2727360b02c15e241c93180cdb6b0d6d4724d53ae18dc4cee984a8d648cfc529d5eef8a6124413

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yvephsk.lnk
Filesize
1KB

MD5
00a792a62bdd5a0e878357451abe8e40

SHA1
4e0e01a9de8647d2926f5f63a51933618706229a

SHA256
81cee6dfff40256ebd09a61b77396d794e7381dd4afb535fdabf5316d6fccefc

SHA512
e456ac09527cb4afacf4fc5558bd5bacdad41df6c8c2f13732129b5d894acf5987e239dfbf587ec0598a28eb95ffdc4137ad9e186d34a03d88a31c5fe0bcb739

Download Submit
memory/968-46-0x000001FEABCB0000-0x000001FEABCB7000-memory.dmp

Filesize
28KB

Download
memory/968-47-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/968-52-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3424-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-6-0x00007FFD413CA000-0x00007FFD413CB000-memory.dmp

Filesize
4KB

Download
memory/3424-4-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3424-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3424-28-0x00000000010D0000-0x00000000010D7000-memory.dmp

Filesize
28KB

Download
memory/3424-29-0x00007FFD414B0000-0x00007FFD414C0000-memory.dmp

Filesize
64KB

Download
memory/3424-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3756-83-0x000001EEC4A40000-0x000001EEC4A47000-memory.dmp

Filesize
28KB

Download
memory/3756-86-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3956-0-0x00000282EEE00000-0x00000282EEE07000-memory.dmp

Filesize
28KB

Download
memory/3956-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3956-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/5000-63-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/5000-69-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/5000-66-0x0000023F21EA0000-0x0000023F21EA7000-memory.dmp

Filesize
28KB

Download