dridex | db9c18d05fd830f2f9e7cc0b5011f44a80277b3e298cee715587e8607542b49c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17/07/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db9c18d05fd830f2f9e7cc0b5011f44a80277b3e298cee715587e8607542b49c.dll
Size

800KB
MD5

844f37f59e5af38fca800fb75c94a4b9
SHA1

8505caf8264a9a1cdd9a6f6cba608ef01e38a2d9
SHA256

db9c18d05fd830f2f9e7cc0b5011f44a80277b3e298cee715587e8607542b49c
SHA512

7c3130224a823be7271e9489497c979bae68836c3779f0028325a245ff2138ef21870c4d84fb1d7f8943a1bc1f497a2d63d95aeb8bb6a6893ad00fc4d4f55b7d
SSDEEP

12288:hBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:j/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1344-4-0x0000000002630000-0x0000000002631000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2500-0-0x000007FEF71F0000-0x000007FEF72B8000-memory.dmp	dridex_payload
behavioral1/memory/1344-38-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1344-30-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1344-51-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1344-49-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/2500-58-0x000007FEF71F0000-0x000007FEF72B8000-memory.dmp	dridex_payload
behavioral1/memory/2580-66-0x000007FEF72C0000-0x000007FEF738A000-memory.dmp	dridex_payload
behavioral1/memory/2580-71-0x000007FEF72C0000-0x000007FEF738A000-memory.dmp	dridex_payload
behavioral1/memory/688-83-0x000007FEF67C0000-0x000007FEF6889000-memory.dmp	dridex_payload
behavioral1/memory/688-88-0x000007FEF67C0000-0x000007FEF6889000-memory.dmp	dridex_payload
behavioral1/memory/2452-101-0x000007FEF6A10000-0x000007FEF6AD9000-memory.dmp	dridex_payload
behavioral1/memory/2452-105-0x000007FEF6A10000-0x000007FEF6AD9000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2580	SoundRecorder.exe
688	msdtc.exe
2452	sdclt.exe

Loads dropped DLL 7 IoCs

pid	Process
1344	Process not Found
2580	SoundRecorder.exe
1344	Process not Found
688	msdtc.exe
1344	Process not Found
2452	sdclt.exe
1344	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvzakw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\ovKtwMRHVg2\\msdtc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
1344	Process not Found
2580	SoundRecorder.exe
2580	SoundRecorder.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2848	1344	Process not Found	31
PID 1344 wrote to memory of 2848	1344	Process not Found	31
PID 1344 wrote to memory of 2848	1344	Process not Found	31
PID 1344 wrote to memory of 2580	1344	Process not Found	32
PID 1344 wrote to memory of 2580	1344	Process not Found	32
PID 1344 wrote to memory of 2580	1344	Process not Found	32
PID 1344 wrote to memory of 2628	1344	Process not Found	33
PID 1344 wrote to memory of 2628	1344	Process not Found	33
PID 1344 wrote to memory of 2628	1344	Process not Found	33
PID 1344 wrote to memory of 688	1344	Process not Found	34
PID 1344 wrote to memory of 688	1344	Process not Found	34
PID 1344 wrote to memory of 688	1344	Process not Found	34
PID 1344 wrote to memory of 2624	1344	Process not Found	35
PID 1344 wrote to memory of 2624	1344	Process not Found	35
PID 1344 wrote to memory of 2624	1344	Process not Found	35
PID 1344 wrote to memory of 2452	1344	Process not Found	36
PID 1344 wrote to memory of 2452	1344	Process not Found	36
PID 1344 wrote to memory of 2452	1344	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db9c18d05fd830f2f9e7cc0b5011f44a80277b3e298cee715587e8607542b49c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2848

C:\Users\Admin\AppData\Local\5zKW062O\SoundRecorder.exe
C:\Users\Admin\AppData\Local\5zKW062O\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:2628

C:\Users\Admin\AppData\Local\Cm5\msdtc.exe
C:\Users\Admin\AppData\Local\Cm5\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:688

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2624

C:\Users\Admin\AppData\Local\CfRRubSSM\sdclt.exe
C:\Users\Admin\AppData\Local\CfRRubSSM\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5zKW062O\SoundRecorder.exe

Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
C:\Users\Admin\AppData\Local\5zKW062O\WINMM.dll

Filesize
808KB

MD5
148dc0ea1dab5d265450d5c73520cfa7

SHA1
acbd9e2daad22c7097468002dc7e0a2f96be3bce

SHA256
5dfff264426d0481e738b99b0d93dfffb3650ea90a073b09cb4e5443bc09336b

SHA512
d0cec2e40a517c696ab5f66567e809c9655c2b6133949ed74136028a7544a0cc35424e9676e9d8afd72e0864795ddc0db8ae8fb952cc255e05a39dae89f4d5b6

Download Submit
C:\Users\Admin\AppData\Local\CfRRubSSM\sdclt.exe

Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Acjenwgziemamyd.lnk

Filesize
1KB

MD5
7efca1547a243d166dec69af6c0cfb5f

SHA1
c0f9cf2a31c94c33fc844421b850bf5d3dcb99e7

SHA256
1532d4486caf540e4258ffe149703c187107fa46bd1a158cd29e11b5a0a4132d

SHA512
40822a941acc2b46645cec8dcd093631f96dcb1667a66b2a8df0c64aa888572f321a1356db0a214352afcaafe0ac98d3cc3f6a88255dcfff8bb7b60cbe187b9e

Download Submit
\Users\Admin\AppData\Local\CfRRubSSM\wer.dll

Filesize
804KB

MD5
e3abb9a7702511d10f6ffabcfa8323ce

SHA1
81df2a589f1a7cd309ca2c6cd6e6faf3ddfade14

SHA256
35f8b246e3a9988194c01f546e994fff8e32df2c14423da48c5d12213c16728f

SHA512
78b0555312a000d0445c73267f521cc479265d284d0a9b7046e24a8dc2538f1d75072a755388de0e2047f485a6b2c626285162bcead35da02be2284e8d9bbd8c

Download Submit
\Users\Admin\AppData\Local\Cm5\VERSION.dll

Filesize
804KB

MD5
bb5e1c3b06fa2459ede00d0787913bb9

SHA1
709b260c3f464b4c26cd4a2a3d03104c9d5f0b99

SHA256
cf50eafbaebc4ab98cfbf18a8db782d56e069e781f97ece3fef5fa9aa3374abd

SHA512
aec8d09f5de5c97424501292c5086c68e9b50ed83882ef604165bac5e2370b0b5c82ebfd8033799d126f9b5d337fadb9eaaf79d30b34bd7515a568b7854f7374

Download Submit
\Users\Admin\AppData\Local\Cm5\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
memory/688-88-0x000007FEF67C0000-0x000007FEF6889000-memory.dmp

Filesize
804KB

Download
memory/688-85-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/688-83-0x000007FEF67C0000-0x000007FEF6889000-memory.dmp

Filesize
804KB

Download
memory/1344-17-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-12-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-28-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-27-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-26-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-25-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-24-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-40-0x0000000077CB0000-0x0000000077CB2000-memory.dmp

Filesize
8KB

Download
memory/1344-39-0x0000000077C80000-0x0000000077C82000-memory.dmp

Filesize
8KB

Download
memory/1344-51-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-49-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-23-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-22-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-21-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-20-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-18-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-30-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-16-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-15-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-14-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-13-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-29-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-11-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-10-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-9-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-8-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-3-0x0000000077A16000-0x0000000077A17000-memory.dmp

Filesize
4KB

Download
memory/1344-4-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1344-6-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-93-0x0000000077A16000-0x0000000077A17000-memory.dmp

Filesize
4KB

Download
memory/1344-7-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-33-0x0000000002610000-0x0000000002617000-memory.dmp

Filesize
28KB

Download
memory/1344-38-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1344-19-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/2452-101-0x000007FEF6A10000-0x000007FEF6AD9000-memory.dmp

Filesize
804KB

Download
memory/2452-105-0x000007FEF6A10000-0x000007FEF6AD9000-memory.dmp

Filesize
804KB

Download
memory/2500-58-0x000007FEF71F0000-0x000007FEF72B8000-memory.dmp

Filesize
800KB

Download
memory/2500-2-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2500-0-0x000007FEF71F0000-0x000007FEF72B8000-memory.dmp

Filesize
800KB

Download
memory/2580-68-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2580-66-0x000007FEF72C0000-0x000007FEF738A000-memory.dmp

Filesize
808KB

Download
memory/2580-71-0x000007FEF72C0000-0x000007FEF738A000-memory.dmp

Filesize
808KB

Download