dridex | 39703d228241e44be2c2f4034de7002b590f762a909948a58fd48de07f007abb

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2876b93cb21d6a2221e6ceb50411d4fd_JaffaCakes118.dll
Size

1.2MB
MD5

2876b93cb21d6a2221e6ceb50411d4fd
SHA1

3c10977925549acc722bcfe64e152a1d14d7ebf4
SHA256

39703d228241e44be2c2f4034de7002b590f762a909948a58fd48de07f007abb
SHA512

9e510ef96855375a0d0584a5031814397e404bc45daaa4c355de332e7675fca77bcbb4ac8263d821d512e114348ebb4bd1c74f2f2891aefbcf9fc4d5e269355d
SSDEEP

24576:XuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Na:Z9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3400-4-0x00000000009B0000-0x00000000009B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3604	Utilman.exe
2312	FXSCOVER.exe
2260	MDMAppInstaller.exe

Loads dropped DLL 3 IoCs

pid	Process
3604	Utilman.exe
2312	FXSCOVER.exe
2260	MDMAppInstaller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdgdcgkgx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\71A1\\FXSCOVER.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MDMAppInstaller.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3400	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 1524	3400	Process not Found	84
PID 3400 wrote to memory of 1524	3400	Process not Found	84
PID 3400 wrote to memory of 3604	3400	Process not Found	85
PID 3400 wrote to memory of 3604	3400	Process not Found	85
PID 3400 wrote to memory of 4232	3400	Process not Found	86
PID 3400 wrote to memory of 4232	3400	Process not Found	86
PID 3400 wrote to memory of 2312	3400	Process not Found	87
PID 3400 wrote to memory of 2312	3400	Process not Found	87
PID 3400 wrote to memory of 2820	3400	Process not Found	88
PID 3400 wrote to memory of 2820	3400	Process not Found	88
PID 3400 wrote to memory of 2260	3400	Process not Found	89
PID 3400 wrote to memory of 2260	3400	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2876b93cb21d6a2221e6ceb50411d4fd_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Qh7P\Utilman.exe
C:\Users\Admin\AppData\Local\Qh7P\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3604

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:4232

C:\Users\Admin\AppData\Local\lRds4T0P3\FXSCOVER.exe
C:\Users\Admin\AppData\Local\lRds4T0P3\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2312

C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
1⤵
PID:2820

C:\Users\Admin\AppData\Local\Ip53\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\Ip53\MDMAppInstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ip53\MDMAppInstaller.exe

Filesize
151KB

MD5
30e978cc6830b04f1e7ed285cccaa746

SHA1
e915147c17e113c676c635e2102bbff90fb7aa52

SHA256
dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

SHA512
331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

Download Submit
C:\Users\Admin\AppData\Local\Ip53\WTSAPI32.dll

Filesize
1.2MB

MD5
3afe75a11faf3fef760fb1fb2a33e47f

SHA1
ea9bac6967157c31fb0ac2d2e0281dbc900f1fc1

SHA256
1668a17be625f7a78522400f995588b6e09c62f3b9bade838618898a67167e5e

SHA512
900515c94d2e5c54f2aa5b674db2cb22dbb6c1b0953831e47722e8f9f5b66d4e92c18f22ae0d5d694def61ec2fe5d76a2fa9cc3439c62b1054b4938acab2e693

Download Submit
C:\Users\Admin\AppData\Local\Qh7P\DUI70.dll

Filesize
1.4MB

MD5
c4cba81d7a6457c88c01579978b1c02e

SHA1
5d1e5483998dc8d5b120b6e770d7bd43700b38ed

SHA256
fe57016a38f5925f52367464c6a4d8e4eddcbe223033246480296f0414f21d64

SHA512
47fe2cc25b3b93146c94585d90515f9aea6e3761052467dca996dc8e3de1fb0db433d060bcbc3d8b83f8cdaa99d4424c5de8abae7eb8c0ced73ab9a0adc58841

Download Submit
C:\Users\Admin\AppData\Local\Qh7P\Utilman.exe

Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Local\lRds4T0P3\FXSCOVER.exe

Filesize
242KB

MD5
5769f78d00f22f76a4193dc720d0b2bd

SHA1
d62b6cab057e88737cba43fe9b0c6d11a28b53e8

SHA256
40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

SHA512
b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

Download Submit
C:\Users\Admin\AppData\Local\lRds4T0P3\MFC42u.dll

Filesize
1.2MB

MD5
58f448e018560f4e5fa5742e99df0926

SHA1
de6aa9fccd17bf3dc73b0b4700a1ff4ddee0275d

SHA256
6f39a15b5b2505c7e9cd5fe4334fcbd63f46702276fdcf919c30d70b6726a92b

SHA512
4045a3df084dd417745a579a6ec744d61652959aa8de0e933bd548b748d0dafe5ce3513202dfea7b0e4f8b07515dd77adb6b47c1cd627b790802b022d621c6e3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ozpfed.lnk

Filesize
1KB

MD5
dccef57bfe5c1d4404a4120e72104217

SHA1
cf41199cd1f0170b2e069bcfbca0c234f6360a9f

SHA256
7c8b61c1d81e34a872b1ce9b6a1d897955a4b4933a8e215bd4c3a29b7fd32d32

SHA512
fd8aed956580fb49bf39440666e7bf1e85a6fae5860e0a4078ea6f9d85d683906bd0d5cb5c9659bdb32d716748de43668f3489514cb4e8e9ec165003ccd96cf6

Download Submit
memory/2260-82-0x00000200CEF20000-0x00000200CEF27000-memory.dmp

Filesize
28KB

Download
memory/2260-79-0x00007FF936E50000-0x00007FF936F81000-memory.dmp

Filesize
1.2MB

Download
memory/2260-85-0x00007FF936E50000-0x00007FF936F81000-memory.dmp

Filesize
1.2MB

Download
memory/2312-63-0x00007FF93A550000-0x00007FF93A687000-memory.dmp

Filesize
1.2MB

Download
memory/2312-62-0x000001AC576E0000-0x000001AC576E7000-memory.dmp

Filesize
28KB

Download
memory/2312-68-0x00007FF93A550000-0x00007FF93A687000-memory.dmp

Filesize
1.2MB

Download
memory/3400-28-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download
memory/3400-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-6-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-4-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3400-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-23-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3400-27-0x00007FF9457CA000-0x00007FF9457CB000-memory.dmp

Filesize
4KB

Download
memory/3400-29-0x00007FF945B70000-0x00007FF945B80000-memory.dmp

Filesize
64KB

Download
memory/3400-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3604-51-0x00007FF936E10000-0x00007FF936F86000-memory.dmp

Filesize
1.5MB

Download
memory/3604-46-0x00007FF936E10000-0x00007FF936F86000-memory.dmp

Filesize
1.5MB

Download
memory/3604-45-0x000001BB5BB40000-0x000001BB5BB47000-memory.dmp

Filesize
28KB

Download
memory/3984-1-0x00007FF93A560000-0x00007FF93A690000-memory.dmp

Filesize
1.2MB

Download
memory/3984-38-0x00007FF93A560000-0x00007FF93A690000-memory.dmp

Filesize
1.2MB

Download
memory/3984-3-0x0000020CB77F0000-0x0000020CB77F7000-memory.dmp

Filesize
28KB

Download