dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
1799s
max time network
1576s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral13/memory/3408-7-0x0000000000660000-0x0000000000661000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

sethc.exesdclt.exemblctr.exesethc.exe

pid process

3064 sethc.exe
1656 sdclt.exe
3168 mblctr.exe
4336 sethc.exe
Loads dropped DLL 4 IoCs

Processes:

sethc.exesdclt.exemblctr.exesethc.exe

pid process

3064 sethc.exe
1656 sdclt.exe
3168 mblctr.exe
4336 sethc.exe

pid	process
3064	sethc.exe
1656	sdclt.exe
3168	mblctr.exe
4336	sethc.exe

pid	process
3064	sethc.exe
1656	sdclt.exe
3168	mblctr.exe
4336	sethc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tfuhhiozesvy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\3oyieI\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesethc.exesdclt.exemblctr.exesethc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3408 wrote to memory of 3596	3408	sethc.exe
PID 3408 wrote to memory of 3596	3408	sethc.exe
PID 3408 wrote to memory of 3064	3408	sethc.exe
PID 3408 wrote to memory of 3064	3408	sethc.exe
PID 3408 wrote to memory of 4272	3408	sdclt.exe
PID 3408 wrote to memory of 4272	3408	sdclt.exe
PID 3408 wrote to memory of 1656	3408	sdclt.exe
PID 3408 wrote to memory of 1656	3408	sdclt.exe
PID 3408 wrote to memory of 1708	3408	mblctr.exe
PID 3408 wrote to memory of 1708	3408	mblctr.exe
PID 3408 wrote to memory of 3168	3408	mblctr.exe
PID 3408 wrote to memory of 3168	3408	mblctr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:3596

C:\Users\Admin\AppData\Local\yhlzuLi\sethc.exe
C:\Users\Admin\AppData\Local\yhlzuLi\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3064

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:4272

C:\Users\Admin\AppData\Local\xbZcn5\sdclt.exe
C:\Users\Admin\AppData\Local\xbZcn5\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1656

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:1708

C:\Users\Admin\AppData\Local\LUUECOG\mblctr.exe
C:\Users\Admin\AppData\Local\LUUECOG\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3168

C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\UserData\QZCAQB~1\sethc.exe
C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\UserData\QZCAQB~1\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LUUECOG\mblctr.exe

Filesize
781KB

MD5
b0c3fd37171b242f88f2757ecdc1e9bd

SHA1
33fb495368f8e28603c5e6bec0fa01c501ef6306

SHA256
d6f2cf2dca7c6fca164da85c60f7463b2575c0a5a19c038b025b41fa586d54fc

SHA512
7ad8562907a6fbf94ae65f19df63c5ef27e65d34eb20ae52404456b1e52f0d1c1b351a87afb86e96e459063c32666303d0731730a95566ed67aac1fb7ba2e0c4

Download Submit
C:\Users\Admin\AppData\Local\xbZcn5\sdclt.exe

Filesize
1.2MB

MD5
d583261d1da3e49fa34d0ed9fc550173

SHA1
64d55723f6fec895c7e8b50f42a815b125ce0b29

SHA256
8577ef50c0dd969617fa313ebd927d6e4ca2faae24fa4516f643328a967c5e6a

SHA512
77aceaf9992b40c859c95d6ee6d6b31c06add7a1227f8e2d1fc49245163a8ffdbf347bfdb0cffb400a9550b715cede3941e4c3f0499d0942dc5f7853db5cd0b5

Download Submit
C:\Users\Admin\AppData\Local\yhlzuLi\DUI70.dll

Filesize
1.5MB

MD5
9a7ab32cb68d763ecc9b145774c34986

SHA1
f2334bf33794eafd98a735e60865d1a1322d52cb

SHA256
c413072fd2cead78c2039c1fe491fc368679481baa3e595c519b12bb1bb89d6d

SHA512
506d264cb9814fd723a1e356c3abcd73cbbd04577e4e9460392454a6ae0ec37adeea028c8c28da0958f081658069df27110cea20c3b29f4adcd643564742da1e

Download Submit
C:\Users\Admin\AppData\Local\yhlzuLi\sethc.exe

Filesize
267KB

MD5
acf1ee51ad73afb0faba2e10304df15a

SHA1
03ade95bbe89143d89a0c09c405610921e5046b3

SHA256
e0bf9845f79c1b4fa09e334f460b6ef70f418eb46cd61b696dec772c6ff3839d

SHA512
a399d58f9ce6b36a5851ef7955509a6c45764e1fa246f93900744f7a288bf3ff3f3513a5c201c4f8c7025daaec62fb0fb62aaf56cb9f6c79ffce203961fd0618

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rjiuzralirfk.lnk

Filesize
1KB

MD5
95ba793dd9538ab2b4a9db2cf3f3d539

SHA1
14b6a33d88f48986b79ea818e704af156df2ee9e

SHA256
8b986810c1e73aa6af3ca8ac2c4962c2627a438bee388659ba1bd34ef1deee69

SHA512
d72a301902f6d2aabaea4409021e49245a7c46d8f0724cc2b0927b8c40f6e8db0bdfb54aa8ca532ae88f89568d8d30387d9c2e62e169fe8e02d3c01d189748f2

Download Submit
\Users\Admin\AppData\Local\LUUECOG\dwmapi.dll

Filesize
1.2MB

MD5
a36a15625a208db1cb3a59d73dcc8b1a

SHA1
982af11df0df2a78d76fb97adc1bc7601a24992d

SHA256
e874d354b3ae160d4959c3e82073eabdb805e7cf36cb62f9403710972c5b7196

SHA512
bb8514d6ab19d7caf4f5ca070e7d0157513f6f20e5b34183c105bc9d56bf06ebb623004177d2c5d53c57e37fabd2b489eab25e2c4224032df984fa22fc6748df

Download Submit
\Users\Admin\AppData\Local\xbZcn5\SPP.dll

Filesize
1.2MB

MD5
6ef0f045f0a0ce5744f81066d1e340fd

SHA1
d9771aecde174376b7030258ecd764b5f5a420ff

SHA256
0b7411a7070eb2c77207a65b6c04232f2c2e6547155f61a4d8198766a37ba0d8

SHA512
c21299e6bd26c3765876d6fc5c9e4a1d2c4bc8ae97ac79d4015e0a85bf0c295fd88f74ba3e0d1a726d47e06f1e4c5672fcda8c90d39c4982a9b2dbc41c9de76e

Download Submit
memory/1656-72-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1656-71-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1656-81-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2764-42-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2764-0-0x00000179EF100000-0x00000179EF107000-memory.dmp

Filesize
28KB

Download
memory/2764-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3064-49-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3064-60-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3064-51-0x000002BD7E880000-0x000002BD7E887000-memory.dmp

Filesize
28KB

Download
memory/3064-50-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3168-92-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3168-102-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3408-34-0x0000000000620000-0x0000000000627000-memory.dmp

Filesize
28KB

Download
memory/3408-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-19-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-35-0x00007FFD942C5000-0x00007FFD942C6000-memory.dmp

Filesize
4KB

Download
memory/3408-36-0x00007FFD94410000-0x00007FFD94412000-memory.dmp

Filesize
8KB

Download
memory/3408-31-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-17-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-18-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-8-0x00007FFD941C3000-0x00007FFD941C4000-memory.dmp

Filesize
4KB

Download
memory/3408-7-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4336-582-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4336-589-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download