dridex | 184451839f912dfa47548af44b5f0c8a62e084a23abe992b3cd301208c190823

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
29/07/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a896d6184851ee490f07f6ef499b73_JaffaCakes118.dll
Size

1.2MB
MD5

33a896d6184851ee490f07f6ef499b73
SHA1

fa9db1c9c6256ae0dbbb02593ca853df3f31f171
SHA256

184451839f912dfa47548af44b5f0c8a62e084a23abe992b3cd301208c190823
SHA512

1140bde17fe9f76a65b51960526d6d0b2db68a031c1e55689ce2369406f1436f3028f7154119b154516a576a3298ff7efd8e8d46af491647cd0c4e2f88d8319e
SSDEEP

24576:3uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:59cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3488-4-0x0000000000D30000-0x0000000000D31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1992	Magnify.exe
3240	SndVol.exe
4140	EhStorAuthn.exe

Loads dropped DLL 5 IoCs

pid	Process
1992	Magnify.exe
1992	Magnify.exe
1992	Magnify.exe
3240	SndVol.exe
4140	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pymom = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\LWUC\\SndVol.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3488	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3180	3488	Process not Found	84
PID 3488 wrote to memory of 3180	3488	Process not Found	84
PID 3488 wrote to memory of 1992	3488	Process not Found	85
PID 3488 wrote to memory of 1992	3488	Process not Found	85
PID 3488 wrote to memory of 4920	3488	Process not Found	86
PID 3488 wrote to memory of 4920	3488	Process not Found	86
PID 3488 wrote to memory of 3240	3488	Process not Found	87
PID 3488 wrote to memory of 3240	3488	Process not Found	87
PID 3488 wrote to memory of 464	3488	Process not Found	88
PID 3488 wrote to memory of 464	3488	Process not Found	88
PID 3488 wrote to memory of 4140	3488	Process not Found	89
PID 3488 wrote to memory of 4140	3488	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\33a896d6184851ee490f07f6ef499b73_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:3180

C:\Users\Admin\AppData\Local\z9fTl7V0\Magnify.exe
C:\Users\Admin\AppData\Local\z9fTl7V0\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1992

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:4920

C:\Users\Admin\AppData\Local\rUUA6F\SndVol.exe
C:\Users\Admin\AppData\Local\rUUA6F\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3240

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:464

C:\Users\Admin\AppData\Local\0ADcrcCw\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\0ADcrcCw\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0ADcrcCw\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\0ADcrcCw\UxTheme.dll

Filesize
1.2MB

MD5
ef952c881b74c7b3cb9ec41d8981cc49

SHA1
2d7c92a5401b121344844d5cae5d3e3f4648b9ad

SHA256
9e2266a9911fe9e66ff5bac009aa73c92fc56601f0dc2a6b567ca2004c632448

SHA512
cd17a41e68b032e352ddf146c5f17b1641428109887745d437716dc3a6a6e05b1ef37947a579d9ebec7d649d8106b73665963fb253388c4d3c6da7cb5a7ab6fc

Download Submit
C:\Users\Admin\AppData\Local\rUUA6F\SndVol.exe

Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\rUUA6F\UxTheme.dll

Filesize
1.2MB

MD5
567888dd6f6438391442c336b69c1de1

SHA1
5d8002f96edef86690a87d7a027a27c9cbd23308

SHA256
ea16a7187550c9d8a63a773810bdb4aedfa5dc02472990ff33e4a738edd29214

SHA512
d346e9893890dc9ce2619dc7eabdf49f8ff2a576e4cf3215c4406f5714aced06582d6d3544ccbd0b7f22b06651b288cf6607dbab6e82964f2707f77d109a5c01

Download Submit
C:\Users\Admin\AppData\Local\z9fTl7V0\Magnify.exe

Filesize
639KB

MD5
4029890c147e3b4c6f41dfb5f9834d42

SHA1
10d08b3f6dabe8171ca2dd52e5737e3402951c75

SHA256
57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

SHA512
dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

Download Submit
C:\Users\Admin\AppData\Local\z9fTl7V0\dwmapi.dll

Filesize
1.2MB

MD5
178eb82d699490dbbd86b903dcc0780c

SHA1
d3052c25526e9888fcb773c0e322b94bfb0fbe9d

SHA256
73af5c1ebbadf49a9f891c5601008b46dc67a4103e337a6b2b8c17d90b1d4cf5

SHA512
08a992287c08c56e6e95a60d7bd5641905b1af12bdcdd7eeaaafd38b8a604cbd052e1a042b3aef625a60a1bb648cfa3b21d818b4b08b4624361756518f5b58e4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rzzww.lnk

Filesize
1KB

MD5
fe0678142ec73807c831fd16b75e6f0b

SHA1
e898a8c0e93042712aad6d612bdbe783c2edfd8b

SHA256
f9e6b595bc5211d3cf1ebed189b75bd3fcfd695b4fda7f6b37d879896feb053c

SHA512
7d6df1ef1b857dcd38bcc0dd626d541218cf0aa254a64892a06832febeac02d0fd6511c9f6c640bd19b57bf04fad4451b1b64adccbe2d9e1661a8a49cec222d2

Download Submit
memory/1628-3-0x0000019D32FD0000-0x0000019D32FD7000-memory.dmp

Filesize
28KB

Download
memory/1628-0-0x00007FFFD8930000-0x00007FFFD8A61000-memory.dmp

Filesize
1.2MB

Download
memory/1628-39-0x00007FFFD8930000-0x00007FFFD8A61000-memory.dmp

Filesize
1.2MB

Download
memory/1992-53-0x00007FFFD8930000-0x00007FFFD8A62000-memory.dmp

Filesize
1.2MB

Download
memory/1992-48-0x00007FFFD8930000-0x00007FFFD8A62000-memory.dmp

Filesize
1.2MB

Download
memory/1992-52-0x000001C9C6F60000-0x000001C9C6F67000-memory.dmp

Filesize
28KB

Download
memory/3240-68-0x00007FFFD8930000-0x00007FFFD8A62000-memory.dmp

Filesize
1.2MB

Download
memory/3240-65-0x00000154C7360000-0x00000154C7367000-memory.dmp

Filesize
28KB

Download
memory/3488-33-0x00007FFFE55BA000-0x00007FFFE55BB000-memory.dmp

Filesize
4KB

Download
memory/3488-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-34-0x0000000000C70000-0x0000000000C77000-memory.dmp

Filesize
28KB

Download
memory/3488-35-0x00007FFFE74F0000-0x00007FFFE7500000-memory.dmp

Filesize
64KB

Download
memory/3488-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-4-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4140-84-0x00007FFFD8930000-0x00007FFFD8A62000-memory.dmp

Filesize
1.2MB

Download