dridex | 84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243.dll
Size

892KB
MD5

009476457e7f03b7c55a0b468c9be2c1
SHA1

ea8823b66b647bd936a65d9b745d4431378e14e9
SHA256

84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243
SHA512

ef82b8b9c84ac1fe2c1326c2a07a632504786179811f956bfc9c65f203d4fe395981db8891420b18906302d8ff01d63a18bb34e88104c7975b13531fc412d180
SSDEEP

12288:3ZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:3ZK6F7nVeRmDFJivohZFV

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3532-4-0x00000000088C0000-0x00000000088C1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

rdpinit.exeSystemPropertiesHardware.exedialer.exe

pid process

3744 rdpinit.exe
884 SystemPropertiesHardware.exe
2000 dialer.exe
Loads dropped DLL 3 IoCs

Processes:

rdpinit.exeSystemPropertiesHardware.exedialer.exe

pid process

3744 rdpinit.exe
884 SystemPropertiesHardware.exe
2000 dialer.exe

resource	yara_rule
behavioral2/memory/3532-4-0x00000000088C0000-0x00000000088C1000-memory.dmp	dridex_stager_shellcode

pid	process
3744	rdpinit.exe
884	SystemPropertiesHardware.exe
2000	dialer.exe

pid	process
3744	rdpinit.exe
884	SystemPropertiesHardware.exe
2000	dialer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zyaxxifxvt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\mvvn3\\SystemPropertiesHardware.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinit.exeSystemPropertiesHardware.exedialer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerdpinit.exe

pid	process
4772	rundll32.exe
4772	rundll32.exe
4772	rundll32.exe
4772	rundll32.exe
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3744	rdpinit.exe
3744	rdpinit.exe
3532
3532
3532
3532

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3532
3532
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3532

pid	process
3532
3532

pid	process
3532

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3532 wrote to memory of 2864	3532	rdpinit.exe
PID 3532 wrote to memory of 2864	3532	rdpinit.exe
PID 3532 wrote to memory of 3744	3532	rdpinit.exe
PID 3532 wrote to memory of 3744	3532	rdpinit.exe
PID 3532 wrote to memory of 524	3532	SystemPropertiesHardware.exe
PID 3532 wrote to memory of 524	3532	SystemPropertiesHardware.exe
PID 3532 wrote to memory of 884	3532	SystemPropertiesHardware.exe
PID 3532 wrote to memory of 884	3532	SystemPropertiesHardware.exe
PID 3532 wrote to memory of 4364	3532	dialer.exe
PID 3532 wrote to memory of 4364	3532	dialer.exe
PID 3532 wrote to memory of 2000	3532	dialer.exe
PID 3532 wrote to memory of 2000	3532	dialer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2864

C:\Users\Admin\AppData\Local\3Knhbd\rdpinit.exe
C:\Users\Admin\AppData\Local\3Knhbd\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3744

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:524

C:\Users\Admin\AppData\Local\XKtMXiI\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\XKtMXiI\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:884

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:4364

C:\Users\Admin\AppData\Local\HXRpQ\dialer.exe
C:\Users\Admin\AppData\Local\HXRpQ\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3Knhbd\WINSTA.dll
Filesize
900KB

MD5
36d8306373ab0bd0234b6ae7444fe9b2

SHA1
fb1824ae5275674603ef48e2059cd4c1f39d6f4d

SHA256
6a75077e8bae0867fce01366ac9c79bd5a3216ea3bf9408ecf15962a5225318e

SHA512
7fb48fa9ec9d231002957c46822fa72eaa4ad57ac6c5944adfa6bc29b62df3d68327174b777c532094f21aeb1c7e9d2783b97fea6ebebf7f0f97061833c5c88f

Download Submit
C:\Users\Admin\AppData\Local\3Knhbd\rdpinit.exe
Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\HXRpQ\TAPI32.dll
Filesize
900KB

MD5
4fe5bc9a54360e9639da4e111d3ff0fb

SHA1
657e381bb98c65fcb27a0b193496683e6a654dd0

SHA256
6186cf8ee199547e4aca80af1d0ab4d57155c35a3b5ceb636f005ac2ece948f8

SHA512
d2b92144a7c58c5a20ebb0970e1c1ccf1a3ca3d92963b15887b342499590b5580993744e6706ed5acada4212b32b9fb22230e9c64d275294e3398fb6c3b353ee

Download Submit
C:\Users\Admin\AppData\Local\HXRpQ\dialer.exe
Filesize
39KB

MD5
b2626bdcf079c6516fc016ac5646df93

SHA1
838268205bd97d62a31094d53643c356ea7848a6

SHA256
e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

SHA512
615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

Download Submit
C:\Users\Admin\AppData\Local\XKtMXiI\SYSDM.CPL
Filesize
896KB

MD5
c36c1f5642b9f9e3cc8b108a085163f0

SHA1
2456d61391b6c3c770f6d9d81f9d36103d5f8a40

SHA256
b365bcbc98069ac5bc28f74218184bc887991040a4fdd6bd245f6539786e0255

SHA512
5808267ca748aec5d0057aa88c640d09b0ebbfa4204c53103e86de4a6f3b5f511abb3ced71b74538f747963d0ed1a1884162a0f0ec5a43a7bbac2d34ab47901a

Download Submit
C:\Users\Admin\AppData\Local\XKtMXiI\SystemPropertiesHardware.exe
Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kscubvdexgimjec.lnk
Filesize
1KB

MD5
418fe7e77a19ed5d1597686915d61ec5

SHA1
c5c2b28c009ee71f9c81140a3d4a08877cbd674f

SHA256
8928c3c734dc134569fd5876eadba6b279656b3cc8fba200ee6dcbd2307616fa

SHA512
abe3bbbaaee9b725345c0be29878c2f2e504787b4857334a501daef1f169e560a3220d33601d5f65e1a577348fdc6bee0bc743691cf369bf11f2896d423b32eb

Download Submit
memory/884-79-0x00007FFAF0770000-0x00007FFAF0850000-memory.dmp

Filesize
896KB

Download
memory/884-84-0x00007FFAF0770000-0x00007FFAF0850000-memory.dmp

Filesize
896KB

Download
memory/884-78-0x0000023597430000-0x0000023597437000-memory.dmp

Filesize
28KB

Download
memory/2000-95-0x00007FFAE0F60000-0x00007FFAE1041000-memory.dmp

Filesize
900KB

Download
memory/2000-98-0x000002176E6D0000-0x000002176E6D7000-memory.dmp

Filesize
28KB

Download
memory/2000-101-0x00007FFAE0F60000-0x00007FFAE1041000-memory.dmp

Filesize
900KB

Download
memory/3532-14-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-8-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-28-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-24-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-22-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-23-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-21-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-19-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-18-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-4-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/3532-16-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-17-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-15-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-30-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-13-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-12-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-11-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-10-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-9-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-29-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-6-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-20-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-38-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-54-0x00007FFAFF080000-0x00007FFAFF090000-memory.dmp

Filesize
64KB

Download
memory/3532-27-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-26-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-25-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-53-0x00007FFAFD21A000-0x00007FFAFD21B000-memory.dmp

Filesize
4KB

Download
memory/3532-31-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-32-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-47-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-49-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3532-52-0x00000000088A0000-0x00000000088A7000-memory.dmp

Filesize
28KB

Download
memory/3744-67-0x00007FFAE05E0000-0x00007FFAE06C1000-memory.dmp

Filesize
900KB

Download
memory/3744-64-0x000001A7E06F0000-0x000001A7E06F7000-memory.dmp

Filesize
28KB

Download
memory/3744-61-0x00007FFAE05E0000-0x00007FFAE06C1000-memory.dmp

Filesize
900KB

Download
memory/4772-7-0x00007FFAF0E40000-0x00007FFAF0F1F000-memory.dmp

Filesize
892KB

Download
memory/4772-1-0x00007FFAF0E40000-0x00007FFAF0F1F000-memory.dmp

Filesize
892KB

Download
memory/4772-3-0x0000015A645E0000-0x0000015A645E7000-memory.dmp

Filesize
28KB

Download