dridex | ddc50ab4f6757dd5480e6aa78969bc0b5cd646742b59bd90855436618a44ebbd

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoThreatDetectedddc50ab4f6757dd5480e6aa78969bc0b5cd646742b59bd90855436618a44ebbdN.dll
Size

1.8MB
MD5

e14d296a8d3172360c2d73bd3baab2b0
SHA1

0898ae4f9a6926d308a1e24e7f7a2fab85580541
SHA256

ddc50ab4f6757dd5480e6aa78969bc0b5cd646742b59bd90855436618a44ebbd
SHA512

1874fce4ac65204917ba183d5eb10ae607f9403b3a878f1bc402c80b36959e2cc71fc49f8115710d1a76d07efa5e2bc39429d075d9b4c5c517121add23a23856
SSDEEP

12288:PxE0waBckFdlxVRZ1hcyknDb3PTdcGvnx10k2d2Y6q2mQpxVOa:ZZLVJxVHfcLnDTZcG/xmk2d2qZwq

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-4-0x0000000002E90000-0x0000000002E91000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1984-0-0x000007FEF6360000-0x000007FEF652F000-memory.dmp	dridex_payload
behavioral1/memory/1192-45-0x0000000140000000-0x00000001401CF000-memory.dmp	dridex_payload
behavioral1/memory/1192-46-0x0000000140000000-0x00000001401CF000-memory.dmp	dridex_payload
behavioral1/memory/1192-40-0x0000000140000000-0x00000001401CF000-memory.dmp	dridex_payload
behavioral1/memory/1192-32-0x0000000140000000-0x00000001401CF000-memory.dmp	dridex_payload
behavioral1/memory/1984-54-0x000007FEF6360000-0x000007FEF652F000-memory.dmp	dridex_payload
behavioral1/memory/1280-66-0x000007FEF6530000-0x000007FEF6700000-memory.dmp	dridex_payload
behavioral1/memory/1280-71-0x000007FEF6530000-0x000007FEF6700000-memory.dmp	dridex_payload
behavioral1/memory/2824-83-0x000007FEF6520000-0x000007FEF66F6000-memory.dmp	dridex_payload
behavioral1/memory/2824-88-0x000007FEF6520000-0x000007FEF66F6000-memory.dmp	dridex_payload
behavioral1/memory/580-107-0x000007FEF6530000-0x000007FEF6700000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

VaultSysUi.exeDevicePairingWizard.exeVaultSysUi.exe

pid	Process
1280	VaultSysUi.exe
2824	DevicePairingWizard.exe
580	VaultSysUi.exe

Loads dropped DLL 9 IoCs

Processes:

VaultSysUi.exeDevicePairingWizard.exeVaultSysUi.exe

pid	Process
1192
1192
1280	VaultSysUi.exe
1192
2824	DevicePairingWizard.exe
1192
1192
580	VaultSysUi.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Excel\\g5CaB\\DevicePairingWizard.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeVaultSysUi.exeDevicePairingWizard.exeVaultSysUi.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeVaultSysUi.exe

pid	Process
1984	rundll32.exe
1984	rundll32.exe
1984	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1280	VaultSysUi.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1192 wrote to memory of 2648	1192	31
PID 1192 wrote to memory of 2648	1192	31
PID 1192 wrote to memory of 2648	1192	31
PID 1192 wrote to memory of 1280	1192	32
PID 1192 wrote to memory of 1280	1192	32
PID 1192 wrote to memory of 1280	1192	32
PID 1192 wrote to memory of 672	1192	33
PID 1192 wrote to memory of 672	1192	33
PID 1192 wrote to memory of 672	1192	33
PID 1192 wrote to memory of 2824	1192	34
PID 1192 wrote to memory of 2824	1192	34
PID 1192 wrote to memory of 2824	1192	34
PID 1192 wrote to memory of 1512	1192	35
PID 1192 wrote to memory of 1512	1192	35
PID 1192 wrote to memory of 1512	1192	35
PID 1192 wrote to memory of 580	1192	36
PID 1192 wrote to memory of 580	1192	36
PID 1192 wrote to memory of 580	1192	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NoThreatDetectedddc50ab4f6757dd5480e6aa78969bc0b5cd646742b59bd90855436618a44ebbdN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:2648

C:\Users\Admin\AppData\Local\AU8FJCXP\VaultSysUi.exe
C:\Users\Admin\AppData\Local\AU8FJCXP\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:672

C:\Users\Admin\AppData\Local\mXS\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\mXS\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2824

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:1512

C:\Users\Admin\AppData\Local\rQT\VaultSysUi.exe
C:\Users\Admin\AppData\Local\rQT\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AU8FJCXP\VaultSysUi.exe

Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
C:\Users\Admin\AppData\Local\AU8FJCXP\credui.dll

Filesize
1.8MB

MD5
7339ac01e30ac4133e9a3cb66f32b011

SHA1
41eb40a590987154a7c3d16b06963f2522d04647

SHA256
792c4090b07a60621c157b1714c9e9831c325d1b8ca3e2dad04ef9114164d371

SHA512
9ae7bd6eb01f0b1c01cec565d329af6a4cf07c43586302589373f6e44813a5b31f8d52dc76e10e9f8cf412b92cc19860f75fecddc8a43a222fb51d5204550517

Download Submit
C:\Users\Admin\AppData\Local\mXS\MFC42u.dll

Filesize
1.8MB

MD5
2ef223a1479895cb81d315a483323814

SHA1
462aa7b3e57260f8f06c25d61ffc4f082b4c0e53

SHA256
f6b8414529489e7f8312dd6ee4ba0a85a445503ea346c7febac0fa03758e9e30

SHA512
f2326764bac6a03b556e9ab4525559fe2de3e1f15c855c2bbbb92f2a8bf0dec3e75af0fe1ea94ab419bf62068bea977d69b82a3723990dd94b60d358aa852131

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk

Filesize
1KB

MD5
6afbc9ee116fd79215b8d1ca47f9d3b0

SHA1
ecf98438b2b4337601e73df8efcb1d9c320dff29

SHA256
80fec8bf602859a49e6c1798418ec4534949c729338e3ad1645d90421a104ba3

SHA512
ea850feaf8430e13bd3ef2495b78d6835ad69e026bf03e8cd8163b11f4e5168b5ca100d3cfa60e6ed464e7fda28d0b08f8b19dc087a0a635e41e1c7a7ac9c560

Download Submit
\Users\Admin\AppData\Local\mXS\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\rQT\credui.dll

Filesize
1.8MB

MD5
615f05615efb80dd4b23bb21132ac20a

SHA1
56f2f93cc7d22fe7a06f0be93b2493b8d6f37b81

SHA256
73cd95fbfacd33c06e9cadf81b5ab373f02da323de1482352fde9579c9aa10bb

SHA512
9565f232539afa5d994a73a71a5c978a9e4e517bc86c9517645f87044f106e015d5a86a5fe7d382a41d3b1eb9146ef742fbe56ca92296b00fe78d810e0bcbd78

Download Submit
memory/580-107-0x000007FEF6530000-0x000007FEF6700000-memory.dmp

Filesize
1.8MB

Download
memory/1192-42-0x0000000077B80000-0x0000000077B82000-memory.dmp

Filesize
8KB

Download
memory/1192-18-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-20-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-30-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-10-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-24-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-3-0x00000000778E6000-0x00000000778E7000-memory.dmp

Filesize
4KB

Download
memory/1192-45-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-46-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-41-0x0000000077B50000-0x0000000077B52000-memory.dmp

Filesize
8KB

Download
memory/1192-40-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-39-0x0000000002D60000-0x0000000002D67000-memory.dmp

Filesize
28KB

Download
memory/1192-32-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-31-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-29-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-28-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-27-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-26-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-25-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-23-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-22-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-21-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-19-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-8-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-17-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-16-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-4-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1192-14-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-12-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-11-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-9-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-55-0x00000000778E6000-0x00000000778E7000-memory.dmp

Filesize
4KB

Download
memory/1192-13-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-15-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-7-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1192-6-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1280-71-0x000007FEF6530000-0x000007FEF6700000-memory.dmp

Filesize
1.8MB

Download
memory/1280-66-0x000007FEF6530000-0x000007FEF6700000-memory.dmp

Filesize
1.8MB

Download
memory/1280-68-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download
memory/1984-54-0x000007FEF6360000-0x000007FEF652F000-memory.dmp

Filesize
1.8MB

Download
memory/1984-0-0x000007FEF6360000-0x000007FEF652F000-memory.dmp

Filesize
1.8MB

Download
memory/1984-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2824-85-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2824-83-0x000007FEF6520000-0x000007FEF66F6000-memory.dmp

Filesize
1.8MB

Download
memory/2824-88-0x000007FEF6520000-0x000007FEF66F6000-memory.dmp

Filesize
1.8MB

Download