dridex | d2a9857b2a44d8a2cf5c90cb47040135626aaa7e4312cc91be2bc36c64edd08f

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoThreatDetected-d2a9857b2a44d8a2cf5c90cb47040135626aaa7e4312cc91be2bc36c64edd08fN.dll
Size

1.2MB
MD5

4c701019b6ecf3b6447881b611b63ec0
SHA1

38708fd32051761d67ae4eedfe9a3de15bee50fe
SHA256

d2a9857b2a44d8a2cf5c90cb47040135626aaa7e4312cc91be2bc36c64edd08f
SHA512

102b79e9ed116b503d106a44e3214354c0dd30b2c29d6be3d19df4236a5c7a5acb2238cb8268358ec216d2aa41f5ed33ccf96114834cea226b369f788268af06
SSDEEP

12288:lxE0waBckFdlxVRZ1hcyknDb3PTdcGvnx10k2d2Y6q2mQpxU1:XZLVJxVHfcLnDTZcG/xmk2d2qZwy1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1192-4-0x0000000002E70000-0x0000000002E71000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2936-1-0x000007FEF6900000-0x000007FEF6A38000-memory.dmp	dridex_payload
behavioral1/memory/1192-33-0x0000000140000000-0x0000000140138000-memory.dmp	dridex_payload
behavioral1/memory/1192-25-0x0000000140000000-0x0000000140138000-memory.dmp	dridex_payload
behavioral1/memory/1192-45-0x0000000140000000-0x0000000140138000-memory.dmp	dridex_payload
behavioral1/memory/1192-44-0x0000000140000000-0x0000000140138000-memory.dmp	dridex_payload
behavioral1/memory/2936-53-0x000007FEF6900000-0x000007FEF6A38000-memory.dmp	dridex_payload
behavioral1/memory/2768-63-0x000007FEF6900000-0x000007FEF6A39000-memory.dmp	dridex_payload
behavioral1/memory/2768-67-0x000007FEF6900000-0x000007FEF6A39000-memory.dmp	dridex_payload
behavioral1/memory/1740-80-0x000007FEF6400000-0x000007FEF656C000-memory.dmp	dridex_payload
behavioral1/memory/1740-84-0x000007FEF6400000-0x000007FEF656C000-memory.dmp	dridex_payload
behavioral1/memory/1188-96-0x000007FEF62E0000-0x000007FEF6419000-memory.dmp	dridex_payload
behavioral1/memory/1188-100-0x000007FEF62E0000-0x000007FEF6419000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2768	msdtc.exe
1740	StikyNot.exe
1188	rekeywiz.exe

Loads dropped DLL 7 IoCs

pid	Process
1192	Process not Found
2768	msdtc.exe
1192	Process not Found
1740	StikyNot.exe
1192	Process not Found
1188	rekeywiz.exe
1192	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\S0SXSE\\StikyNot.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	rundll32.exe
2936	rundll32.exe
2936	rundll32.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2548	1192	Process not Found	31
PID 1192 wrote to memory of 2548	1192	Process not Found	31
PID 1192 wrote to memory of 2548	1192	Process not Found	31
PID 1192 wrote to memory of 2768	1192	Process not Found	32
PID 1192 wrote to memory of 2768	1192	Process not Found	32
PID 1192 wrote to memory of 2768	1192	Process not Found	32
PID 1192 wrote to memory of 3032	1192	Process not Found	33
PID 1192 wrote to memory of 3032	1192	Process not Found	33
PID 1192 wrote to memory of 3032	1192	Process not Found	33
PID 1192 wrote to memory of 1740	1192	Process not Found	34
PID 1192 wrote to memory of 1740	1192	Process not Found	34
PID 1192 wrote to memory of 1740	1192	Process not Found	34
PID 1192 wrote to memory of 2424	1192	Process not Found	35
PID 1192 wrote to memory of 2424	1192	Process not Found	35
PID 1192 wrote to memory of 2424	1192	Process not Found	35
PID 1192 wrote to memory of 1188	1192	Process not Found	36
PID 1192 wrote to memory of 1188	1192	Process not Found	36
PID 1192 wrote to memory of 1188	1192	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NoThreatDetected-d2a9857b2a44d8a2cf5c90cb47040135626aaa7e4312cc91be2bc36c64edd08fN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\FXv\msdtc.exe
C:\Users\Admin\AppData\Local\FXv\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2768

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:3032

C:\Users\Admin\AppData\Local\POv\StikyNot.exe
C:\Users\Admin\AppData\Local\POv\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1740

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:2424

C:\Users\Admin\AppData\Local\ZimAPwQg\rekeywiz.exe
C:\Users\Admin\AppData\Local\ZimAPwQg\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FXv\VERSION.dll

Filesize
1.2MB

MD5
c5637e9cabae90be4139bebfe7e9caad

SHA1
5780b7cc6fb1ada3fb7342004a868b4242901cf8

SHA256
a3a3b7868ae6402d0c32972636fec94a39560c85940655f293a4513c06beb823

SHA512
2ed4e7db9efedd58a684c23e8a59d48c4237dc3870866586263217fb08c280ef3e5bcc3e08c302edae8ee8ff65e639c099328c8490602b194e19fcfa8b0bdb05

Download Submit
C:\Users\Admin\AppData\Local\POv\DUI70.dll

Filesize
1.4MB

MD5
22f20d0e759fdfca3f46c557d8404084

SHA1
ee35f4140b8bd3fa584fc6e8178369d9674887ae

SHA256
4659fa45c4c36d6c4ee49e67f4d254a868c2f42f875aef0d0d26c4d20a49a7b9

SHA512
c14db61caa823cebb820d580e3a01004ee100a693730aae597f32f7764b6a1289d1fd505ee3d1bf4110349ced259b8f7d7bd43dee4280878a56a9b261f315a83

Download Submit
C:\Users\Admin\AppData\Local\POv\StikyNot.exe

Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
C:\Users\Admin\AppData\Local\ZimAPwQg\slc.dll

Filesize
1.2MB

MD5
6b71a747fc765b953f8540f8a296bffe

SHA1
edc3c0f3787edada6f5be12b3349a9ba96bde8b2

SHA256
af218fa4727f68f6bd7d9989bbad3d73c644197c9a5cac8a41c3eda30e4c51bc

SHA512
60e86e2b7a92a3d37459c7c281f4ebcd72f77ba128380bf3f3329353133b7a4e271db1f688b35b53525076392be902fb475ef3983d078b5f8d00b37232e78eec

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk

Filesize
1KB

MD5
c3708017959048712fcd7911b259c941

SHA1
8e56b763d34146289e6a6e2277f09726298c5045

SHA256
733dd9d75209d130f676bdf17d03e06e7dd2317cbe5ffcb0a77f5f56819c4179

SHA512
79cfccac3e8518e2482eeb5a4a33fbf3099a8033882d78177a9a0638747696fdd4d31ca25a6faa2c4653d1d3d28fa5999a6273f76510f01ad9591c6b141f1e6e

Download Submit
\Users\Admin\AppData\Local\FXv\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
\Users\Admin\AppData\Local\ZimAPwQg\rekeywiz.exe

Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
memory/1188-100-0x000007FEF62E0000-0x000007FEF6419000-memory.dmp

Filesize
1.2MB

Download
memory/1188-96-0x000007FEF62E0000-0x000007FEF6419000-memory.dmp

Filesize
1.2MB

Download
memory/1192-25-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-45-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-3-0x0000000077676000-0x0000000077677000-memory.dmp

Filesize
4KB

Download
memory/1192-24-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-22-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-21-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-20-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-19-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-18-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-17-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-15-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-14-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-13-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-12-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-11-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-10-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-9-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-8-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-23-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-32-0x0000000002C10000-0x0000000002C17000-memory.dmp

Filesize
28KB

Download
memory/1192-44-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-4-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1192-54-0x0000000077676000-0x0000000077677000-memory.dmp

Filesize
4KB

Download
memory/1192-33-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-34-0x00000000779E0000-0x00000000779E2000-memory.dmp

Filesize
8KB

Download
memory/1192-6-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-7-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-16-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1192-35-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/1740-80-0x000007FEF6400000-0x000007FEF656C000-memory.dmp

Filesize
1.4MB

Download
memory/1740-79-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1740-84-0x000007FEF6400000-0x000007FEF656C000-memory.dmp

Filesize
1.4MB

Download
memory/2768-67-0x000007FEF6900000-0x000007FEF6A39000-memory.dmp

Filesize
1.2MB

Download
memory/2768-63-0x000007FEF6900000-0x000007FEF6A39000-memory.dmp

Filesize
1.2MB

Download
memory/2768-62-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/2936-53-0x000007FEF6900000-0x000007FEF6A38000-memory.dmp

Filesize
1.2MB

Download
memory/2936-1-0x000007FEF6900000-0x000007FEF6A38000-memory.dmp

Filesize
1.2MB

Download
memory/2936-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download