dridex | f9be8ead8c0c0eea86e3b21724ca839e0d04bf09396be2d03785fbae593f771d

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9be8ead8c0c0eea86e3b21724ca839e0d04bf09396be2d03785fbae593f771d.dll
Size

1.3MB
MD5

81b54c092f50db01c43d91d689878cb6
SHA1

73994ee609cbf2d69e6aa97f01f0ee415182e622
SHA256

f9be8ead8c0c0eea86e3b21724ca839e0d04bf09396be2d03785fbae593f771d
SHA512

7b690f470d6ac288463649c040edd462b658e4c0e7de3c6e23bf97196389a1effabd01558fad3afbb23a8060d0302952ad5e7e34eda5e1ed229eee2d19319808
SSDEEP

12288:sZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:sZK6F7nVeRmDFJivohZFV

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002D20000-0x0000000002D21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2576	wextract.exe
2976	WindowsAnytimeUpgradeResults.exe
2088	mblctr.exe

Loads dropped DLL 7 IoCs

pid	Process
1192	Process not Found
2576	wextract.exe
1192	Process not Found
2976	WindowsAnytimeUpgradeResults.exe
1192	Process not Found
2088	mblctr.exe
1192	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rjrgyymfyoxefs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\NYDQbk5Z\\WindowsAnytimeUpgradeResults.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
2576	wextract.exe
2576	wextract.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
2976	WindowsAnytimeUpgradeResults.exe
2976	WindowsAnytimeUpgradeResults.exe
1192	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2200	1192	Process not Found	31
PID 1192 wrote to memory of 2200	1192	Process not Found	31
PID 1192 wrote to memory of 2200	1192	Process not Found	31
PID 1192 wrote to memory of 2576	1192	Process not Found	32
PID 1192 wrote to memory of 2576	1192	Process not Found	32
PID 1192 wrote to memory of 2576	1192	Process not Found	32
PID 1192 wrote to memory of 2604	1192	Process not Found	33
PID 1192 wrote to memory of 2604	1192	Process not Found	33
PID 1192 wrote to memory of 2604	1192	Process not Found	33
PID 1192 wrote to memory of 2976	1192	Process not Found	34
PID 1192 wrote to memory of 2976	1192	Process not Found	34
PID 1192 wrote to memory of 2976	1192	Process not Found	34
PID 1192 wrote to memory of 324	1192	Process not Found	35
PID 1192 wrote to memory of 324	1192	Process not Found	35
PID 1192 wrote to memory of 324	1192	Process not Found	35
PID 1192 wrote to memory of 2088	1192	Process not Found	36
PID 1192 wrote to memory of 2088	1192	Process not Found	36
PID 1192 wrote to memory of 2088	1192	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9be8ead8c0c0eea86e3b21724ca839e0d04bf09396be2d03785fbae593f771d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2200

C:\Users\Admin\AppData\Local\8kxswjz9\wextract.exe
C:\Users\Admin\AppData\Local\8kxswjz9\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:2604

C:\Users\Admin\AppData\Local\h5qOV\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\h5qOV\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:324

C:\Users\Admin\AppData\Local\KZ8q\mblctr.exe
C:\Users\Admin\AppData\Local\KZ8q\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8kxswjz9\VERSION.dll

Filesize
1.3MB

MD5
2eed6980393c158d6bd6e16de5462de9

SHA1
a6d24f08caa85844e96c5532a7ecb4d557c10e20

SHA256
92f37b00e124f67a57d3fd3e01718618541ca5d117081efe66e7b1623aa7a3b6

SHA512
8a5e1233fd20f05ee82b01292ad663da7fd838fd3090668fb90360c45e6a243a1cde8d099f85b32c70c44b812c540bc6a2203d276a55116616f905debf1e7ea9

Download Submit
C:\Users\Admin\AppData\Local\KZ8q\WTSAPI32.dll

Filesize
1.3MB

MD5
1ac4381155a983e517af76507df07ccb

SHA1
bf26c59b25a4ff7935cc5447625a5ced2d19fdaf

SHA256
1061e7dccab11c5f9c6c047ed8f997f964b1c423c4f00334a66e530e8fa8f0ca

SHA512
4d4ef6209df58090bb91493807cd26ec48fcf092423f4557fe3c3521772be137c7fb808a5fb20b111a0b2e399c6bd6a9dbcb86dc2c1a75eb0dc9de5e6b617301

Download Submit
C:\Users\Admin\AppData\Local\h5qOV\UxTheme.dll

Filesize
1.3MB

MD5
101ff3ea82e1d246c24ab2767fc27eaa

SHA1
8cadafc6985e00b7cf86e8ad749b5803c9577640

SHA256
2f6680bdee3ed3c0a21f6be7b398719cdc81dbb3cf92ecd7679dfd4f5ad6ca59

SHA512
5972d608dc5552f19b5eaa7c41171ff18d2de4204bcedc6590036923d8ef4bdd9147d6462a2c44d0804097bcc98e1f0dcddfc723c5ec09c1fa04f5ebed87bcc8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dwxzrb.lnk

Filesize
1KB

MD5
e50c413e508c6575b9b26e8e1e95561d

SHA1
21a469b48ef817054e96f2e4f31f10acf66ba60e

SHA256
cf081784118944da65c63cebdc30a64a3524f0670e871adc01f393a7ae4aaef4

SHA512
43819c4c5f5141e142b49071840f004d2e3657b6921166fec7668f075a3592ecc424061f3d817ae80b2b00d0852de1146c8ea0b7009802e86adf2f55edbf5dca

Download Submit
\Users\Admin\AppData\Local\8kxswjz9\wextract.exe

Filesize
140KB

MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
\Users\Admin\AppData\Local\KZ8q\mblctr.exe

Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
\Users\Admin\AppData\Local\h5qOV\WindowsAnytimeUpgradeResults.exe

Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
memory/1192-18-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-14-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-25-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-37-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-36-0x0000000002D00000-0x0000000002D07000-memory.dmp

Filesize
28KB

Download
memory/1192-30-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-29-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-38-0x0000000076F01000-0x0000000076F02000-memory.dmp

Filesize
4KB

Download
memory/1192-28-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-27-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-26-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-24-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-23-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-22-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-21-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-20-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-19-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-4-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

Filesize
4KB

Download
memory/1192-17-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-16-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-15-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-10-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-39-0x0000000077060000-0x0000000077062000-memory.dmp

Filesize
8KB

Download
memory/1192-12-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-11-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-48-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-52-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-5-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1192-7-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-88-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

Filesize
4KB

Download
memory/1192-9-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1192-8-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2088-108-0x000007FEF6400000-0x000007FEF6550000-memory.dmp

Filesize
1.3MB

Download
memory/2576-72-0x000007FEF6DD0000-0x000007FEF6F20000-memory.dmp

Filesize
1.3MB

Download
memory/2576-66-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2576-67-0x000007FEF6DD0000-0x000007FEF6F20000-memory.dmp

Filesize
1.3MB

Download
memory/2976-84-0x000007FEF6400000-0x000007FEF6550000-memory.dmp

Filesize
1.3MB

Download
memory/2976-87-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/2976-91-0x000007FEF6400000-0x000007FEF6550000-memory.dmp

Filesize
1.3MB

Download
memory/2984-13-0x000007FEF6400000-0x000007FEF654F000-memory.dmp

Filesize
1.3MB

Download
memory/2984-1-0x000007FEF6400000-0x000007FEF654F000-memory.dmp

Filesize
1.3MB

Download
memory/2984-3-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download