dridex | fc7250c2304197a28f68e088a7bb5fb90415ac996838166ce4fe4b2b797cc24a

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca3cbd4bb76e276967023dfcec4c8d65_JaffaCakes118.dll
Size

1.2MB
MD5

ca3cbd4bb76e276967023dfcec4c8d65
SHA1

11733d1ced342598f9851031bea13e9b3a1022c9
SHA256

fc7250c2304197a28f68e088a7bb5fb90415ac996838166ce4fe4b2b797cc24a
SHA512

12dec455ff2e7a04ae68b066a15683894bd6c9bb6960839b1b971a554274672f34fdd8bbc6724aedf7367cae1a62e08427ba553783c050edc3314bdb08fc5949
SSDEEP

24576:QuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NMt:A9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3360-4-0x0000000002480000-0x0000000002481000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

MusNotificationUx.exeSysResetErr.exeunregmp2.exe

pid	Process
2416	MusNotificationUx.exe
316	SysResetErr.exe
1696	unregmp2.exe

Loads dropped DLL 3 IoCs

Processes:

MusNotificationUx.exeSysResetErr.exeunregmp2.exe

pid	Process
2416	MusNotificationUx.exe
316	SysResetErr.exe
1696	unregmp2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isybexcquevfui = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\DOCUME~1\\1033\\URBRQ3~1\\SYSRES~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MusNotificationUx.exeSysResetErr.exeunregmp2.exerundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
4900	rundll32.exe
4900	rundll32.exe
4900	rundll32.exe
4900	rundll32.exe
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3360
Token: SeCreatePagefilePrivilege	3360
Token: SeShutdownPrivilege	3360
Token: SeCreatePagefilePrivilege	3360

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3360

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3360 wrote to memory of 2668	3360	94
PID 3360 wrote to memory of 2668	3360	94
PID 3360 wrote to memory of 2416	3360	95
PID 3360 wrote to memory of 2416	3360	95
PID 3360 wrote to memory of 1272	3360	96
PID 3360 wrote to memory of 1272	3360	96
PID 3360 wrote to memory of 316	3360	97
PID 3360 wrote to memory of 316	3360	97
PID 3360 wrote to memory of 440	3360	98
PID 3360 wrote to memory of 440	3360	98
PID 3360 wrote to memory of 1696	3360	99
PID 3360 wrote to memory of 1696	3360	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca3cbd4bb76e276967023dfcec4c8d65_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:2668

C:\Users\Admin\AppData\Local\1V2M3C\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\1V2M3C\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2416

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:1272

C:\Users\Admin\AppData\Local\BIi\SysResetErr.exe
C:\Users\Admin\AppData\Local\BIi\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:316

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:440

C:\Users\Admin\AppData\Local\r50z\unregmp2.exe
C:\Users\Admin\AppData\Local\r50z\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1V2M3C\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\1V2M3C\XmlLite.dll

Filesize
1.2MB

MD5
c4fecb04dd0d872d00beccd7fa121ccd

SHA1
1ff5266cf27f82202b2cc3cf4733edbcc27e4ef3

SHA256
90f33f851cb56e55b0396a0b40a0d300a0af3d818833aaef1edb24967f3d9f00

SHA512
4dfe7ed5ea414dff38f7cc2b11e0b70abe82c7d01f4f310ce45505b468187aff92d8c3d736e725aa7688b906391c26a8741ff2570293444c0227888dd8658da8

Download Submit
C:\Users\Admin\AppData\Local\BIi\DUI70.dll

Filesize
1.4MB

MD5
c253f9d02a22ce85193fcc34c6448a27

SHA1
babe77e41168bc98230a33592f639307ddbe3280

SHA256
2e040964fab779e3dc342a8f5b1053aaeda43a2377d886e34fca642779c18426

SHA512
dbfe9f10ee6c5a4a38724b9a11f2239e2fc2e68ed44c22cd86405ba8ef90bbebd89fe8fa8f3b555680d9c5e0a439fb5a3767aa70981198a76b31d993dfc41514

Download Submit
C:\Users\Admin\AppData\Local\BIi\SysResetErr.exe

Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\r50z\VERSION.dll

Filesize
1.2MB

MD5
041f4d51841873273c536418b82f2a56

SHA1
6e251c3458242453cbd5801691fe60602539ab07

SHA256
4b0cbdd7728e01cdfc1fc29dc45312ba6c109c1183bd7576b91f1adbcefc2aee

SHA512
63e70d1fbd01bdd1542f7925a7c073d4e85bda3f2c009bca754336e2487e9578643c90b869c88a594d2441f7370a2c005ab1a5a459ae594d3e4ae7e722dbf5c1

Download Submit
C:\Users\Admin\AppData\Local\r50z\unregmp2.exe

Filesize
259KB

MD5
a6fc8ce566dec7c5873cb9d02d7b874e

SHA1
a30040967f75df85a1e3927bdce159b102011a61

SHA256
21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

SHA512
f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wyfsbgf.lnk

Filesize
1KB

MD5
57f5631493cba88aac778a1e56165542

SHA1
d0cf340a08401987bc89d099d27cda2de39c99a0

SHA256
34958de22b8882981600a2dc47cfcea23030e43dfe94d59c5cbc8f48708d111d

SHA512
effc4914fff3462b0984ef7fb63ce413b2229899c99bff08488f0fc33dabaaeeb69ff44b3511da04ea4d11a34ce83b2995f9fe69d6d6dcc860cab48c5d653e41

Download Submit
memory/316-69-0x00007FFC73300000-0x00007FFC73477000-memory.dmp

Filesize
1.5MB

Download
memory/316-66-0x000001AE6E520000-0x000001AE6E527000-memory.dmp

Filesize
28KB

Download
memory/316-64-0x00007FFC73300000-0x00007FFC73477000-memory.dmp

Filesize
1.5MB

Download
memory/1696-83-0x0000024FF6410000-0x0000024FF6417000-memory.dmp

Filesize
28KB

Download
memory/1696-86-0x00007FF6DFA40000-0x00007FF6DFA85000-memory.dmp

Filesize
276KB

Download
memory/1696-87-0x00007FFC73340000-0x00007FFC73472000-memory.dmp

Filesize
1.2MB

Download
memory/2416-52-0x00007FFC73340000-0x00007FFC73472000-memory.dmp

Filesize
1.2MB

Download
memory/2416-47-0x00007FFC73340000-0x00007FFC73472000-memory.dmp

Filesize
1.2MB

Download
memory/2416-46-0x000001C878BD0000-0x000001C878BD7000-memory.dmp

Filesize
28KB

Download
memory/3360-30-0x00000000023D0000-0x00000000023D7000-memory.dmp

Filesize
28KB

Download
memory/3360-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-5-0x00007FFC8FC8A000-0x00007FFC8FC8B000-memory.dmp

Filesize
4KB

Download
memory/3360-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-4-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3360-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-31-0x00007FFC90BD0000-0x00007FFC90BE0000-memory.dmp

Filesize
64KB

Download
memory/3360-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3360-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4900-2-0x00007FFC81FC0000-0x00007FFC820F1000-memory.dmp

Filesize
1.2MB

Download
memory/4900-39-0x00007FFC81FC0000-0x00007FFC820F1000-memory.dmp

Filesize
1.2MB

Download
memory/4900-0-0x000001440EFD0000-0x000001440EFD7000-memory.dmp

Filesize
28KB

Download