dridex | dc23e2b53c2f9f56939cd4765aaea383fb37e638afe4db25e55fcc33a065792c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ec087fb5c9ac0a2ed26f817ccbe872a_JaffaCakes118.dll
Size

1.2MB
MD5

7ec087fb5c9ac0a2ed26f817ccbe872a
SHA1

7e186b2401393151ba721cfb79533dd277235f30
SHA256

dc23e2b53c2f9f56939cd4765aaea383fb37e638afe4db25e55fcc33a065792c
SHA512

dfcf6d814a56829c535b1742be85c718839f386ef29e09281dce0afdf79046b4b507de23b30c1810938c26dfbb235ab8e650a6b7353560021db47903e026d12e
SSDEEP

24576:SuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:69cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002520000-0x0000000002521000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

shrpubw.exeNetplwiz.exemmc.exe

pid	Process
2808	shrpubw.exe
2376	Netplwiz.exe
2840	mmc.exe

Loads dropped DLL 7 IoCs

Processes:

shrpubw.exeNetplwiz.exemmc.exe

pid	Process
1200
2808	shrpubw.exe
1200
2376	Netplwiz.exe
1200
2840	mmc.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neewpjodwhuy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\Oa7isZi2\\Netplwiz.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mmc.exerundll32.exeshrpubw.exeNetplwiz.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2552	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1200 wrote to memory of 1848	1200	31
PID 1200 wrote to memory of 1848	1200	31
PID 1200 wrote to memory of 1848	1200	31
PID 1200 wrote to memory of 2808	1200	32
PID 1200 wrote to memory of 2808	1200	32
PID 1200 wrote to memory of 2808	1200	32
PID 1200 wrote to memory of 2480	1200	33
PID 1200 wrote to memory of 2480	1200	33
PID 1200 wrote to memory of 2480	1200	33
PID 1200 wrote to memory of 2376	1200	34
PID 1200 wrote to memory of 2376	1200	34
PID 1200 wrote to memory of 2376	1200	34
PID 1200 wrote to memory of 1196	1200	35
PID 1200 wrote to memory of 1196	1200	35
PID 1200 wrote to memory of 1196	1200	35
PID 1200 wrote to memory of 2840	1200	36
PID 1200 wrote to memory of 2840	1200	36
PID 1200 wrote to memory of 2840	1200	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ec087fb5c9ac0a2ed26f817ccbe872a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1848

C:\Users\Admin\AppData\Local\MHSG4VJy\shrpubw.exe
C:\Users\Admin\AppData\Local\MHSG4VJy\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2808

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2480

C:\Users\Admin\AppData\Local\YQxeg92F\Netplwiz.exe
C:\Users\Admin\AppData\Local\YQxeg92F\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2376

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Ql5nNIb7y\mmc.exe
C:\Users\Admin\AppData\Local\Ql5nNIb7y\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MHSG4VJy\srvcli.dll

Filesize
1.2MB

MD5
9a036310466e406a2de27bda2e0dc53f

SHA1
ab09527dcd5c2b9ad9fe0157bcecf9bf11307902

SHA256
3cb3d7d8ebfa2693a5a46527253f644af492b585524d17a5bb42d993abf98b22

SHA512
0cb300dda4bbab59d4ab192f074e1fcb33b1f0c1b15ffe51f63f4ba489ded6a1eabcdd9c3a7da2cf0edd8394448ed98cbfd7546d6770cf98df1f1d7fc02bc717

Download Submit
C:\Users\Admin\AppData\Local\Ql5nNIb7y\DUser.dll

Filesize
1.2MB

MD5
cfc07a5a850daed0eddabe4c4a5ed7e3

SHA1
216cb82b85c5a9b32042ab14db6aab4f0cf57378

SHA256
02199f0765b8d0a8c3934d0ea354d826662a10ed39f5943292d6f638f4a5f060

SHA512
10af5140e292c7c5f0ff3ecef1d01a2d4b997391cb2cf722fb29b183b695c9e07b7f21cd3936de455703fc11546f0855407954dd325ad6efc53f379eb0efa666

Download Submit
C:\Users\Admin\AppData\Local\YQxeg92F\NETPLWIZ.dll

Filesize
1.2MB

MD5
2ff64df374a5292bfe016b875332c9b1

SHA1
46a0a1fbdf869335816223e945557348743308f4

SHA256
15ea085ac66a2bdcf1ac6c703d73730e516256ec2844951313afb27287ea184a

SHA512
eed54c5a86222756938fddf412ca5ccfca4c7a171a56803d5099af47072a54005fbf357279573d3c3d51a76232dee01fd333d428f80aab97349cc1f9bf07e082

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk

Filesize
1010B

MD5
c1f6d49895647a4123cc643244c988e8

SHA1
c19856c6cc269c0441474a531bfbd07fc799df6a

SHA256
c131172439c0100d35688fa6052bd3b873da0f8cd7efa8009d3e65adb94257b5

SHA512
7844340481a32fee55f82e3541c666d984e285348c048264fac0129e7e4bf08551beabff993ed3ed5a584c3c45996b4bf55f1324d6808ac3675f9aac4d68d655

Download Submit
\Users\Admin\AppData\Local\MHSG4VJy\shrpubw.exe

Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\Ql5nNIb7y\mmc.exe

Filesize
2.0MB

MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
\Users\Admin\AppData\Local\YQxeg92F\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
memory/1200-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-29-0x0000000077871000-0x0000000077872000-memory.dmp

Filesize
4KB

Download
memory/1200-4-0x0000000077666000-0x0000000077667000-memory.dmp

Filesize
4KB

Download
memory/1200-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-5-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1200-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-40-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-26-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/1200-30-0x0000000077A00000-0x0000000077A02000-memory.dmp

Filesize
8KB

Download
memory/1200-77-0x0000000077666000-0x0000000077667000-memory.dmp

Filesize
4KB

Download
memory/1200-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2376-72-0x000007FEF7130000-0x000007FEF7262000-memory.dmp

Filesize
1.2MB

Download
memory/2376-79-0x000007FEF7130000-0x000007FEF7262000-memory.dmp

Filesize
1.2MB

Download
memory/2376-78-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2552-33-0x000007FEF7130000-0x000007FEF7261000-memory.dmp

Filesize
1.2MB

Download
memory/2552-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2552-1-0x000007FEF7130000-0x000007FEF7261000-memory.dmp

Filesize
1.2MB

Download
memory/2808-60-0x000007FEF6C10000-0x000007FEF6D42000-memory.dmp

Filesize
1.2MB

Download
memory/2808-57-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2808-54-0x000007FEF6C10000-0x000007FEF6D42000-memory.dmp

Filesize
1.2MB

Download
memory/2840-96-0x0000000001CA0000-0x0000000001CA7000-memory.dmp

Filesize
28KB

Download
memory/2840-93-0x000007FEF6B50000-0x000007FEF6C82000-memory.dmp

Filesize
1.2MB

Download
memory/2840-99-0x000007FEF6B50000-0x000007FEF6C82000-memory.dmp

Filesize
1.2MB

Download