dridex | c993b31ce40179bd8997e6a298875c02744cc7d07225dad945a88d7ac755515f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c993b31ce40179bd8997e6a298875c02744cc7d07225dad945a88d7ac755515f.dll
Size

940KB
MD5

eac9db11159f94acffc10b94097debea
SHA1

c2b90ec31a8ba440f14131e5598cecdc65db300a
SHA256

c993b31ce40179bd8997e6a298875c02744cc7d07225dad945a88d7ac755515f
SHA512

4c33638e34a9dcd5f05dab7f212c3dd8c0f293f5f61eb582420171712b27474fa043f1649a6e35c07f1c32afeb981027d14c6fae1361d788c29bb5144e109911
SSDEEP

12288:H0YTYL6Mqi7W8xto9OpWswk1GNup1XhBmsUqOZEYUANgBomHGe0zcPTP3E:H0CYZWgtWkEuHXhBmLHeuWBomaiP

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1216-4-0x0000000002E10000-0x0000000002E11000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/808-0-0x000007FEF66A0000-0x000007FEF678B000-memory.dmp	dridex_payload
behavioral1/memory/1216-17-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1216-25-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1216-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1216-38-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/808-45-0x000007FEF66A0000-0x000007FEF678B000-memory.dmp	dridex_payload
behavioral1/memory/2776-55-0x000007FEF6D30000-0x000007FEF6E1C000-memory.dmp	dridex_payload
behavioral1/memory/2776-59-0x000007FEF6D30000-0x000007FEF6E1C000-memory.dmp	dridex_payload
behavioral1/memory/2616-72-0x000007FEF66A0000-0x000007FEF678C000-memory.dmp	dridex_payload
behavioral1/memory/2616-76-0x000007FEF66A0000-0x000007FEF678C000-memory.dmp	dridex_payload
behavioral1/memory/1736-89-0x000007FEF66A0000-0x000007FEF678D000-memory.dmp	dridex_payload
behavioral1/memory/1736-93-0x000007FEF66A0000-0x000007FEF678D000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2776	wusa.exe
2616	DeviceDisplayObjectProvider.exe
1736	calc.exe

Loads dropped DLL 7 IoCs

pid	Process
1216	Process not Found
2776	wusa.exe
1216	Process not Found
2616	DeviceDisplayObjectProvider.exe
1216	Process not Found
1736	calc.exe
1216	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{09943E69-9DC9-482F-8E4E-8C560C83150A}\\DYphvf\\DeviceDisplayObjectProvider.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found
1216	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2704	1216	Process not Found	31
PID 1216 wrote to memory of 2704	1216	Process not Found	31
PID 1216 wrote to memory of 2704	1216	Process not Found	31
PID 1216 wrote to memory of 2776	1216	Process not Found	32
PID 1216 wrote to memory of 2776	1216	Process not Found	32
PID 1216 wrote to memory of 2776	1216	Process not Found	32
PID 1216 wrote to memory of 2596	1216	Process not Found	33
PID 1216 wrote to memory of 2596	1216	Process not Found	33
PID 1216 wrote to memory of 2596	1216	Process not Found	33
PID 1216 wrote to memory of 2616	1216	Process not Found	34
PID 1216 wrote to memory of 2616	1216	Process not Found	34
PID 1216 wrote to memory of 2616	1216	Process not Found	34
PID 1216 wrote to memory of 2404	1216	Process not Found	35
PID 1216 wrote to memory of 2404	1216	Process not Found	35
PID 1216 wrote to memory of 2404	1216	Process not Found	35
PID 1216 wrote to memory of 1736	1216	Process not Found	36
PID 1216 wrote to memory of 1736	1216	Process not Found	36
PID 1216 wrote to memory of 1736	1216	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c993b31ce40179bd8997e6a298875c02744cc7d07225dad945a88d7ac755515f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:808

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2704

C:\Users\Admin\AppData\Local\Aj9kz\wusa.exe
C:\Users\Admin\AppData\Local\Aj9kz\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:2596

C:\Users\Admin\AppData\Local\fjYFq\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\fjYFq\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2616

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2404

C:\Users\Admin\AppData\Local\AkW\calc.exe
C:\Users\Admin\AppData\Local\AkW\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Aj9kz\WTSAPI32.dll

Filesize
944KB

MD5
0e0859d7116b42b3342c0e560a0bf508

SHA1
3a3aa1245e3eb21213376eb6e6ff30b321d5d9ee

SHA256
2c5748560d5dc952f2ab4e79341ad632c6b4ce1dd05e90d04447b2076b3b87d6

SHA512
e71851254af201b09b3ff639240c19699dba4d579ee3fed79517b1b432b3af55e93b01100af3f7d40aae8d0b77f839b270ce4494d1030cda38032fa5185c165c

Download Submit
C:\Users\Admin\AppData\Local\fjYFq\XmlLite.dll

Filesize
944KB

MD5
6cfd118462f08458d24e0792f4195a6d

SHA1
2dda1644d6064d2c547263a9bde83981418b1082

SHA256
9e63ab8574904fb94040744d79f7d948ae9bc386294a8cdced99033f6e4097e0

SHA512
983731594f75d84f96b112152590a8f81a6d937379ea4731c3a723ea1c1cd6e1fc3d1a7ab35ab7a8afd355c2db61ac4aed28c97f8f8ce6579d56ca172ac8aead

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
96bedf72c78530c83cf6cafea6c7b3bf

SHA1
91e9d5de2638afbfa2b674a85a57bdf1aab96312

SHA256
c8350d3a5a6c6f645342bd627653f2243b7342d74edef314187cecfc0a78c941

SHA512
ad5005089a58f4e7ac554184e4a8bf513aeb39b1bc82ff539fe60c3b9d3b2456f04209ff3755fbd692da9345b4d039a3b30f807374b336b7a45d7705e9f69b62

Download Submit
\Users\Admin\AppData\Local\Aj9kz\wusa.exe

Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
\Users\Admin\AppData\Local\AkW\WINMM.dll

Filesize
948KB

MD5
5ddb6742630694b5e04f9fbac63bc6f3

SHA1
f34191cf57d8c15ac32b974e40f4ac0edd5f7977

SHA256
983bb4d064e5fee6983093bff8ae580b640f321eca6aa94f33413ab8b7622a57

SHA512
b039905679beb9b76c7382a8df11f10bfc7e59003c25f2ed73b74163a4dda960974e10d5cd2a456dea733ebafd4715a476de00accac219634e3951c470369929

Download Submit
\Users\Admin\AppData\Local\AkW\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Local\fjYFq\DeviceDisplayObjectProvider.exe

Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
memory/808-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/808-0-0x000007FEF66A0000-0x000007FEF678B000-memory.dmp

Filesize
940KB

Download
memory/808-45-0x000007FEF66A0000-0x000007FEF678B000-memory.dmp

Filesize
940KB

Download
memory/1216-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-26-0x0000000077730000-0x0000000077732000-memory.dmp

Filesize
8KB

Download
memory/1216-25-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-24-0x0000000002640000-0x0000000002647000-memory.dmp

Filesize
28KB

Download
memory/1216-16-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-38-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-46-0x00000000773C6000-0x00000000773C7000-memory.dmp

Filesize
4KB

Download
memory/1216-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-27-0x0000000077760000-0x0000000077762000-memory.dmp

Filesize
8KB

Download
memory/1216-3-0x00000000773C6000-0x00000000773C7000-memory.dmp

Filesize
4KB

Download
memory/1216-4-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1216-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-17-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1216-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1736-88-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/1736-89-0x000007FEF66A0000-0x000007FEF678D000-memory.dmp

Filesize
948KB

Download
memory/1736-93-0x000007FEF66A0000-0x000007FEF678D000-memory.dmp

Filesize
948KB

Download
memory/2616-71-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/2616-72-0x000007FEF66A0000-0x000007FEF678C000-memory.dmp

Filesize
944KB

Download
memory/2616-76-0x000007FEF66A0000-0x000007FEF678C000-memory.dmp

Filesize
944KB

Download
memory/2776-59-0x000007FEF6D30000-0x000007FEF6E1C000-memory.dmp

Filesize
944KB

Download
memory/2776-55-0x000007FEF6D30000-0x000007FEF6E1C000-memory.dmp

Filesize
944KB

Download
memory/2776-54-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download