dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral21/memory/1204-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msdtc.exetabcal.execmstp.exe

pid process

2684 msdtc.exe
1624 tabcal.exe
2812 cmstp.exe
Loads dropped DLL 7 IoCs

Processes:

msdtc.exetabcal.execmstp.exe

pid process

1204
2684 msdtc.exe
1204
1624 tabcal.exe
1204
2812 cmstp.exe
1204

pid	process
2684	msdtc.exe
1624	tabcal.exe
2812	cmstp.exe

pid	process
1204
2684	msdtc.exe
1204
1624	tabcal.exe
1204
2812	cmstp.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gdussggr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\02\\tabcal.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmstp.exerundll32.exemsdtc.exetabcal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2104	rundll32.exe
2104	rundll32.exe
2104	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2772	1204	msdtc.exe
PID 1204 wrote to memory of 2772	1204	msdtc.exe
PID 1204 wrote to memory of 2772	1204	msdtc.exe
PID 1204 wrote to memory of 2684	1204	msdtc.exe
PID 1204 wrote to memory of 2684	1204	msdtc.exe
PID 1204 wrote to memory of 2684	1204	msdtc.exe
PID 1204 wrote to memory of 2156	1204	tabcal.exe
PID 1204 wrote to memory of 2156	1204	tabcal.exe
PID 1204 wrote to memory of 2156	1204	tabcal.exe
PID 1204 wrote to memory of 1624	1204	tabcal.exe
PID 1204 wrote to memory of 1624	1204	tabcal.exe
PID 1204 wrote to memory of 1624	1204	tabcal.exe
PID 1204 wrote to memory of 2588	1204	cmstp.exe
PID 1204 wrote to memory of 2588	1204	cmstp.exe
PID 1204 wrote to memory of 2588	1204	cmstp.exe
PID 1204 wrote to memory of 2812	1204	cmstp.exe
PID 1204 wrote to memory of 2812	1204	cmstp.exe
PID 1204 wrote to memory of 2812	1204	cmstp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:2772

C:\Users\Admin\AppData\Local\dRrLi\msdtc.exe
C:\Users\Admin\AppData\Local\dRrLi\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2684

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2156

C:\Users\Admin\AppData\Local\tjTP\tabcal.exe
C:\Users\Admin\AppData\Local\tjTP\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1624

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:2588

C:\Users\Admin\AppData\Local\ezOlKqq\cmstp.exe
C:\Users\Admin\AppData\Local\ezOlKqq\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dRrLi\VERSION.dll

Filesize
1.2MB

MD5
2ea3372bf2a59ddf29b2f115052d7788

SHA1
cd1af1cfa3bfb813f96bd971d5067f22df6e97eb

SHA256
75f10e218a62a7b97e8dfcc3e71c288ba83403623fd6deb13a3a79097ec8ffe7

SHA512
3f38d43258314bd8522a67591d684acac1e80b8c542fee4f9806e065ccd8d347d48eecf2900671dae2b1d3b7ce6fa55b48c3e32daf4c13331632c99dfcd3c988

Download Submit
C:\Users\Admin\AppData\Local\ezOlKqq\VERSION.dll

Filesize
1.2MB

MD5
a16fa8833c970132d8ad8aefb37e0c2b

SHA1
e39cc03bf504f1d98410fb5d71b62e6d094d98b2

SHA256
71262421be65c90a42bfdfbbdf1d6fd03b1a3029cd9605a8dd35a1c2520d8259

SHA512
40e714813a81dbfd015da4f94e10017114ed635c346c6836eb38d36728a006d2cf1d0f3a87ba9a4b74c746c754d80ebb8cc151b3933defddfaf1d5df26383f6b

Download Submit
C:\Users\Admin\AppData\Local\tjTP\HID.DLL

Filesize
1.2MB

MD5
23215edc3f324842d6b96dd89477c5c1

SHA1
d7c5979b76ca68d99df6ae7a3f4f18b68b9c579c

SHA256
0d038882c5d1bc39face3b77945eb2cb7e73d5315607aad75f723cc3e90082f8

SHA512
cdd739a9e2da2705c40d88f7b786b5b532e02bd8479d393050b67ae8790c804987d932067b67a236795dfa58a8017792652313dc48cf8640cb936319535db109

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Smfbypnq.lnk

Filesize
1KB

MD5
8ac12636146f75dc64d5aa3ecf4ccaed

SHA1
d7f9cbb0e94bf47ef4fd19dbf6078514cec46398

SHA256
2a5729b9417ad6cfad00544a77e32538f82406ec1c47a65bdf651824fd35d51b

SHA512
ea138056e9c6b25904d5e5160436ebde8766c1f802f6cd6066c69069614d76353fd25d62cb6a5d3dd5b599960d9758f90e252cf6372350b6e068501102d2d44f

Download Submit
\Users\Admin\AppData\Local\dRrLi\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
\Users\Admin\AppData\Local\ezOlKqq\cmstp.exe

Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\tjTP\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
memory/1204-30-0x0000000077660000-0x0000000077662000-memory.dmp

Filesize
8KB

Download
memory/1204-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-26-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

Filesize
28KB

Download
memory/1204-4-0x00000000772C6000-0x00000000772C7000-memory.dmp

Filesize
4KB

Download
memory/1204-29-0x00000000774D1000-0x00000000774D2000-memory.dmp

Filesize
4KB

Download
memory/1204-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1204-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-75-0x00000000772C6000-0x00000000772C7000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1624-76-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1624-79-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2104-46-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2104-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2104-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2684-60-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2684-55-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2684-54-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2812-96-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download