dridex | 3f8dbdd32edf0643d8008fdbaef3019604a9954488470c62eac3c5ed75ec94bf

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33fb7c1f5419fc3b4a9e0702f5c82176_JaffaCakes118.dll
Size

1.2MB
MD5

33fb7c1f5419fc3b4a9e0702f5c82176
SHA1

0e3dcd49eb06367121404d3bff24ad472d03db23
SHA256

3f8dbdd32edf0643d8008fdbaef3019604a9954488470c62eac3c5ed75ec94bf
SHA512

c3a0cdf9db68b9241f9b993184da0830753328e464822b35807d1cd1538d2977f701fa6bb11002100d3fda251db75c4f2ce383d6724c862cf370aa56b8f032cf
SSDEEP

24576:muYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:G9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3524-4-0x0000000002220000-0x0000000002221000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exerstrui.exeWindowsActionDialog.exe

pid	Process
4264	PresentationSettings.exe
1400	rstrui.exe
1940	WindowsActionDialog.exe

Loads dropped DLL 3 IoCs

Processes:

PresentationSettings.exerstrui.exeWindowsActionDialog.exe

pid	Process
4264	PresentationSettings.exe
1400	rstrui.exe
1940	WindowsActionDialog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bapkbs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\nguIHlR6UR\\rstrui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exePresentationSettings.exerstrui.exeWindowsActionDialog.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
5112	rundll32.exe
5112	rundll32.exe
5112	rundll32.exe
5112	rundll32.exe
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3524 wrote to memory of 2304	3524	84
PID 3524 wrote to memory of 2304	3524	84
PID 3524 wrote to memory of 4264	3524	85
PID 3524 wrote to memory of 4264	3524	85
PID 3524 wrote to memory of 3600	3524	86
PID 3524 wrote to memory of 3600	3524	86
PID 3524 wrote to memory of 1400	3524	87
PID 3524 wrote to memory of 1400	3524	87
PID 3524 wrote to memory of 3372	3524	88
PID 3524 wrote to memory of 3372	3524	88
PID 3524 wrote to memory of 1940	3524	89
PID 3524 wrote to memory of 1940	3524	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\33fb7c1f5419fc3b4a9e0702f5c82176_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2304

C:\Users\Admin\AppData\Local\VlA2\PresentationSettings.exe
C:\Users\Admin\AppData\Local\VlA2\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4264

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:3600

C:\Users\Admin\AppData\Local\79Y\rstrui.exe
C:\Users\Admin\AppData\Local\79Y\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1400

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:3372

C:\Users\Admin\AppData\Local\mXXwQKFm\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\mXXwQKFm\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\79Y\SRCORE.dll

Filesize
1.2MB

MD5
c9efa44fa85ca1049c8b0dfdf8323712

SHA1
74704f153d3035fd65503076cda5feb11917d9b0

SHA256
6bfc50b30aa97e31691df92a3390b768f136ce7ffcdcbddf807cde6812374fad

SHA512
43710649fe52009fbe0241a31e37a75e1d79c0755d685b72aa2d7c987908691f87017dfe393c63d3172b008d0ddf92721d05228ef3df3f1db3a2c643a0da7dd4

Download Submit
C:\Users\Admin\AppData\Local\79Y\rstrui.exe

Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Local\VlA2\PresentationSettings.exe

Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\VlA2\WINMM.dll

Filesize
1.2MB

MD5
2acc2b2a6f232ce5304afc3d1fb011e9

SHA1
01f37ff2c28ccefdb10ac93b014f0a17146edf83

SHA256
a4ebb93c2918ef28d8b7099e1a17371bc31a25b0fdf803b046614d593140798f

SHA512
168bc1162d51fda187687ddabe02c8a089b818d9187931160e006a77f3420ea6f65d585f7ace9837508fe62388ec490238cd72f96e16422f3d26f6992cdb432b

Download Submit
C:\Users\Admin\AppData\Local\mXXwQKFm\DUI70.dll

Filesize
1.4MB

MD5
10d482c084e95865d383882217af7354

SHA1
6f1fd21c218b33250bdd4c7086089ab411c0daed

SHA256
abe87b698e83c6d7147375fea478205b2a81affba10d7636510525f1b898ee6e

SHA512
0db1b5034e40774966f5b1c3f93ebc846b2ffc2e3037927ee43f70b4b47b6378932e821f408a8fc27a8dd485902919503e70d9f89c7b252f4bdbd123202967ef

Download Submit
C:\Users\Admin\AppData\Local\mXXwQKFm\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vmoyh.lnk

Filesize
1KB

MD5
076e4878ca5db42c6ae817734c4695fd

SHA1
745e7ef69a2c883df79c16de0f5e130c9ca9c3d6

SHA256
e38fc4a9117238b5a9a90a71d66bc6bde4204242bca9a4edc40a4e548d847982

SHA512
cb86db10659ec10e83ef71bf6e2f75a5579deb1801c75e4ddd174bdd44609c6a752cc6d9bd29a6e760cb73dee5402565e03de6a690a4636b71124f11bc1310d5

Download Submit
memory/1400-63-0x00007FF9DBC10000-0x00007FF9DBD42000-memory.dmp

Filesize
1.2MB

Download
memory/1400-66-0x000001FB8A9D0000-0x000001FB8A9D7000-memory.dmp

Filesize
28KB

Download
memory/1400-69-0x00007FF9DBC10000-0x00007FF9DBD42000-memory.dmp

Filesize
1.2MB

Download
memory/1940-80-0x0000026A8CA40000-0x0000026A8CA47000-memory.dmp

Filesize
28KB

Download
memory/1940-81-0x00007FF9DBBD0000-0x00007FF9DBD47000-memory.dmp

Filesize
1.5MB

Download
memory/1940-86-0x00007FF9DBBD0000-0x00007FF9DBD47000-memory.dmp

Filesize
1.5MB

Download
memory/3524-33-0x00007FF9EA1FA000-0x00007FF9EA1FB000-memory.dmp

Filesize
4KB

Download
memory/3524-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-4-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/3524-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-35-0x00007FF9EB0F0000-0x00007FF9EB100000-memory.dmp

Filesize
64KB

Download
memory/3524-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3524-34-0x0000000000830000-0x0000000000837000-memory.dmp

Filesize
28KB

Download
memory/3524-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4264-52-0x00007FF9DBA60000-0x00007FF9DBB93000-memory.dmp

Filesize
1.2MB

Download
memory/4264-49-0x000002B4E08C0000-0x000002B4E08C7000-memory.dmp

Filesize
28KB

Download
memory/4264-46-0x00007FF9DBA60000-0x00007FF9DBB93000-memory.dmp

Filesize
1.2MB

Download
memory/5112-0-0x00007FF9DB890000-0x00007FF9DB9C1000-memory.dmp

Filesize
1.2MB

Download
memory/5112-39-0x00007FF9DB890000-0x00007FF9DB9C1000-memory.dmp

Filesize
1.2MB

Download
memory/5112-3-0x000001C8123E0000-0x000001C8123E7000-memory.dmp

Filesize
28KB

Download