dridex | 75c4e5ea34c5b7bce8151ef2a04337e6c6657acec991fff8b3a6a9f23e216903

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/07/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75c4e5ea34c5b7bce8151ef2a04337e6c6657acec991fff8b3a6a9f23e216903.dll
Size

800KB
MD5

5df0b4b0381cc82c174e4175011a5904
SHA1

767c88a86cacfa66aa8f8715225adc9156624bf8
SHA256

75c4e5ea34c5b7bce8151ef2a04337e6c6657acec991fff8b3a6a9f23e216903
SHA512

e679183963c66596592670ee8c210a068c8aca15bfb8e2607c066a6da8b4c455f5ec885a2b36c17e4e2d858cf175aa13eea797884692bd686b599ac6005396c4
SSDEEP

12288:hBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:j/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1244-4-0x0000000002580000-0x0000000002581000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2416-0-0x000007FEF6FF0000-0x000007FEF70B8000-memory.dmp	dridex_payload
behavioral1/memory/1244-30-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1244-38-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1244-49-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1244-50-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/2416-58-0x000007FEF6FF0000-0x000007FEF70B8000-memory.dmp	dridex_payload
behavioral1/memory/2720-66-0x000007FEF6FF0000-0x000007FEF70B9000-memory.dmp	dridex_payload
behavioral1/memory/2720-71-0x000007FEF6FF0000-0x000007FEF70B9000-memory.dmp	dridex_payload
behavioral1/memory/2552-83-0x000007FEF6780000-0x000007FEF6849000-memory.dmp	dridex_payload
behavioral1/memory/2552-88-0x000007FEF6780000-0x000007FEF6849000-memory.dmp	dridex_payload
behavioral1/memory/2032-101-0x000007FEF6780000-0x000007FEF684F000-memory.dmp	dridex_payload
behavioral1/memory/2032-106-0x000007FEF6780000-0x000007FEF684F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2720	slui.exe
2552	cttune.exe
2032	shrpubw.exe

Loads dropped DLL 7 IoCs

pid	Process
1244	Process not Found
2720	slui.exe
1244	Process not Found
2552	cttune.exe
1244	Process not Found
2032	shrpubw.exe
1244	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wqbazsgxtjodx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\Awg2eNS\\cttune.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	regsvr32.exe
2416	regsvr32.exe
2416	regsvr32.exe
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2672	1244	Process not Found	30
PID 1244 wrote to memory of 2672	1244	Process not Found	30
PID 1244 wrote to memory of 2672	1244	Process not Found	30
PID 1244 wrote to memory of 2720	1244	Process not Found	31
PID 1244 wrote to memory of 2720	1244	Process not Found	31
PID 1244 wrote to memory of 2720	1244	Process not Found	31
PID 1244 wrote to memory of 2504	1244	Process not Found	32
PID 1244 wrote to memory of 2504	1244	Process not Found	32
PID 1244 wrote to memory of 2504	1244	Process not Found	32
PID 1244 wrote to memory of 2552	1244	Process not Found	33
PID 1244 wrote to memory of 2552	1244	Process not Found	33
PID 1244 wrote to memory of 2552	1244	Process not Found	33
PID 1244 wrote to memory of 2028	1244	Process not Found	34
PID 1244 wrote to memory of 2028	1244	Process not Found	34
PID 1244 wrote to memory of 2028	1244	Process not Found	34
PID 1244 wrote to memory of 2032	1244	Process not Found	35
PID 1244 wrote to memory of 2032	1244	Process not Found	35
PID 1244 wrote to memory of 2032	1244	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\75c4e5ea34c5b7bce8151ef2a04337e6c6657acec991fff8b3a6a9f23e216903.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2672

C:\Users\Admin\AppData\Local\UcZTK\slui.exe
C:\Users\Admin\AppData\Local\UcZTK\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2720

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2504

C:\Users\Admin\AppData\Local\HWKgzrnY\cttune.exe
C:\Users\Admin\AppData\Local\HWKgzrnY\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2552

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:2028

C:\Users\Admin\AppData\Local\27vMDPn0\shrpubw.exe
C:\Users\Admin\AppData\Local\27vMDPn0\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\27vMDPn0\MFC42u.dll

Filesize
828KB

MD5
01172cddc07e7a82cd978e6e6ace38df

SHA1
6ba00e3caa69e5b6277c44d98c567e15b5be3a96

SHA256
95cf6edc8b4d7aee0236e2a5e672143cc67bba0e18748865a18a52f7f5a3e766

SHA512
295b810f65001f6b26135decfa11d83ec5db36994230596424838bb0ae2e219c84c224b1f1b98673df20208f26e8419ec90633c563b1dd1c944acf3da2a36bc5

Download Submit
C:\Users\Admin\AppData\Local\HWKgzrnY\UxTheme.dll

Filesize
804KB

MD5
73360c1087d587196481755db0cf1e66

SHA1
c20bce7281e5aa914b2ba5e53a8a0cac96edfcc5

SHA256
bb16d3aed62157e36223eab1b18faf3d214c0b5e8c7539d639457f2a4b3fdf4e

SHA512
18bcb453838e4d4c5125e2edbabbe89841702dc47ce21ae53a8bd6c1f6f2dcdb5073a518d708eea2cdbd3d8dfb9378b0d59818db25d0adc647e9e4881933eeaf

Download Submit
C:\Users\Admin\AppData\Local\UcZTK\slc.dll

Filesize
804KB

MD5
1d2b17bc353ba6c7a212774bb041de0a

SHA1
88c0d9338f3a98cac91d52e45821daa533cfa86a

SHA256
821d705c1c1964072fd24ed06595496dc71e750f34095e3682a79f5ffdb96120

SHA512
c99dd3a61863e3c38e2af0f747277d061bfa9d74b417fa0f28032290c14febecac38de32e06aad95e1747c256c5af73ab80a62e2606dd743b70d77f606ac3fc4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk

Filesize
1017B

MD5
80e080db55cd7586f6913e8eef2f86ae

SHA1
de4c9257a66b746a4c10ae11894f731fa24bba74

SHA256
86b5bbbf6a76b4c46d947757f0a7d33cb20a132452cc68446118dab8fcc3af73

SHA512
a0acc270a4762b3e67cd43bbc7f3862872859c6534fdde3dc3390274dbe1e100716134ee697085cc1518c457def707d60397c761938ed08ee429c68400901ac5

Download Submit
\Users\Admin\AppData\Local\27vMDPn0\shrpubw.exe

Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\HWKgzrnY\cttune.exe

Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Local\UcZTK\slui.exe

Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
memory/1244-16-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-12-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-37-0x0000000002560000-0x0000000002567000-memory.dmp

Filesize
28KB

Download
memory/1244-30-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-29-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-40-0x0000000077A90000-0x0000000077A92000-memory.dmp

Filesize
8KB

Download
memory/1244-39-0x0000000077A60000-0x0000000077A62000-memory.dmp

Filesize
8KB

Download
memory/1244-38-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-28-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-27-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-26-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-25-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-24-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-23-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-22-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-20-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-19-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-18-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-17-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-21-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-15-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-14-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-13-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-7-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-11-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-10-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-9-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-49-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-50-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-3-0x00000000776F6000-0x00000000776F7000-memory.dmp

Filesize
4KB

Download
memory/1244-4-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1244-6-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1244-93-0x00000000776F6000-0x00000000776F7000-memory.dmp

Filesize
4KB

Download
memory/1244-8-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/2032-101-0x000007FEF6780000-0x000007FEF684F000-memory.dmp

Filesize
828KB

Download
memory/2032-103-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2032-106-0x000007FEF6780000-0x000007FEF684F000-memory.dmp

Filesize
828KB

Download
memory/2416-58-0x000007FEF6FF0000-0x000007FEF70B8000-memory.dmp

Filesize
800KB

Download
memory/2416-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2416-0-0x000007FEF6FF0000-0x000007FEF70B8000-memory.dmp

Filesize
800KB

Download
memory/2552-83-0x000007FEF6780000-0x000007FEF6849000-memory.dmp

Filesize
804KB

Download
memory/2552-85-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2552-88-0x000007FEF6780000-0x000007FEF6849000-memory.dmp

Filesize
804KB

Download
memory/2720-68-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/2720-66-0x000007FEF6FF0000-0x000007FEF70B9000-memory.dmp

Filesize
804KB

Download
memory/2720-71-0x000007FEF6FF0000-0x000007FEF70B9000-memory.dmp

Filesize
804KB

Download