dridex | d2f5888941801c183beb9683356f780eaf0b66a94b595a8db0a52b32db5034d1

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7800b9d0be9bce9e13706e9a738321cc_JaffaCakes118.dll
Size

1.2MB
MD5

7800b9d0be9bce9e13706e9a738321cc
SHA1

6e4efb0b9602f6400ae735dc734f94faeeaede35
SHA256

d2f5888941801c183beb9683356f780eaf0b66a94b595a8db0a52b32db5034d1
SHA512

dbb62a792651abc3f2a5d2a689f52c58eebdd7c6f448d2f10579f961f6691ef3e37079afe81dd52580cbd2aa2bb02228a06240d8aca4e83667c66c1e6007c68a
SSDEEP

24576:HuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NXwF:p9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3580-4-0x0000000002B20000-0x0000000002B21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4600	isoburn.exe
884	SystemPropertiesHardware.exe
3248	MusNotificationUx.exe

Loads dropped DLL 3 IoCs

pid	Process
4600	isoburn.exe
884	SystemPropertiesHardware.exe
3248	MusNotificationUx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rgxdcw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\EY85Fa\\SystemPropertiesHardware.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	regsvr32.exe
904	regsvr32.exe
904	regsvr32.exe
904	regsvr32.exe
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3580	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 4988	3580	Process not Found	94
PID 3580 wrote to memory of 4988	3580	Process not Found	94
PID 3580 wrote to memory of 4600	3580	Process not Found	95
PID 3580 wrote to memory of 4600	3580	Process not Found	95
PID 3580 wrote to memory of 3692	3580	Process not Found	96
PID 3580 wrote to memory of 3692	3580	Process not Found	96
PID 3580 wrote to memory of 884	3580	Process not Found	97
PID 3580 wrote to memory of 884	3580	Process not Found	97
PID 3580 wrote to memory of 2144	3580	Process not Found	98
PID 3580 wrote to memory of 2144	3580	Process not Found	98
PID 3580 wrote to memory of 3248	3580	Process not Found	99
PID 3580 wrote to memory of 3248	3580	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7800b9d0be9bce9e13706e9a738321cc_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:4988

C:\Users\Admin\AppData\Local\Bc2xSrB00\isoburn.exe
C:\Users\Admin\AppData\Local\Bc2xSrB00\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4600

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:3692

C:\Users\Admin\AppData\Local\W0wo\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\W0wo\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:884

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:2144

C:\Users\Admin\AppData\Local\jRPsN\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\jRPsN\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bc2xSrB00\UxTheme.dll

Filesize
1.2MB

MD5
552efb84fec9046f1185030fa698eefd

SHA1
72e5ae3ff09faea8b19f265a615874b4dc3ed65a

SHA256
6592142924317425bf8f7cde5da13e72a186efb31f918d63bed1141007b286bb

SHA512
a0766912952540a70403939d1a56743c71a0bf509650fa7aa6baff8bb78464aa32fc490196e6b2b0b4706c67cefec0c784acc0edfef0c69ecd57688aa2e41426

Download Submit
C:\Users\Admin\AppData\Local\Bc2xSrB00\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Local\W0wo\SYSDM.CPL

Filesize
1.2MB

MD5
3225615a65cc11ac2568ab4b7551c4e2

SHA1
b7f6128a9acfb3c5874c57b1a1db84ffb4321f6c

SHA256
60d091f15f4d8e6202a7cc0fc576c8c389e815a8a3bf9a4775856f4d3bba2c56

SHA512
b3d1be36546c6ef3fc11d0507a2e15d576606ec93e376d351d005fbdabca71cfb161d4051a5b928fdca2292cc67b00681b6d188a25c23cb4f8d9bd7320d2d71c

Download Submit
C:\Users\Admin\AppData\Local\W0wo\SystemPropertiesHardware.exe

Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Local\jRPsN\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\jRPsN\XmlLite.dll

Filesize
1.2MB

MD5
83aff1a2bb0688c94fc4f1d45d43ca18

SHA1
fe8eff7daa14e8ea51df30de2957966c013ace18

SHA256
02c1d98f7c39a76253ea55b2f7c0b84e726be62acd0d77e2ff85a9be40e83429

SHA512
98bec2930627103f7b248d73b0ab333601a129e8478e49b6c7b464d73389270702407dd3a08be18a797e78b758b86e471fce2259eecd40ae35035456b7b0fa87

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jmwkri.lnk

Filesize
1KB

MD5
51a2a90c7f0d5ff64f8af1465fdf0f68

SHA1
2e88c25c3e1d2fc1fb972ce2d7f201fa8c9a8233

SHA256
b0fe91ae18ba5b256adc67f9796befc1ecf70f3c9514ca23087640f1176f717a

SHA512
fd2739940e7a08378c4a63db3a6bfabd4211afd613550f40413e96c7037b87b83492b6d6bf7d43935d70ac62714564e45cb5813c31966a6c24a1006fda84880c

Download Submit
memory/884-65-0x000001DEC5240000-0x000001DEC5247000-memory.dmp

Filesize
28KB

Download
memory/884-68-0x00007FFA81CC0000-0x00007FFA81DF7000-memory.dmp

Filesize
1.2MB

Download
memory/904-0-0x00007FFA90E10000-0x00007FFA90F46000-memory.dmp

Filesize
1.2MB

Download
memory/904-38-0x00007FFA90E10000-0x00007FFA90F46000-memory.dmp

Filesize
1.2MB

Download
memory/904-1-0x0000000001FF0000-0x0000000001FF7000-memory.dmp

Filesize
28KB

Download
memory/3248-82-0x0000028AC1930000-0x0000028AC1937000-memory.dmp

Filesize
28KB

Download
memory/3248-85-0x00007FFA81CC0000-0x00007FFA81DF7000-memory.dmp

Filesize
1.2MB

Download
memory/3580-16-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-28-0x0000000000B50000-0x0000000000B57000-memory.dmp

Filesize
28KB

Download
memory/3580-6-0x00007FFA9D95A000-0x00007FFA9D95B000-memory.dmp

Filesize
4KB

Download
memory/3580-4-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/3580-8-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-9-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-10-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-11-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-14-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-24-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-12-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-13-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-15-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-7-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-35-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-29-0x00007FFA9F3D0000-0x00007FFA9F3E0000-memory.dmp

Filesize
64KB

Download
memory/4600-51-0x00007FFA81CC0000-0x00007FFA81DF7000-memory.dmp

Filesize
1.2MB

Download
memory/4600-45-0x00007FFA81CC0000-0x00007FFA81DF7000-memory.dmp

Filesize
1.2MB

Download
memory/4600-48-0x0000022B52D20000-0x0000022B52D27000-memory.dmp

Filesize
28KB

Download