dridex | eee2e1a66ec290793a4c288e15f1517031ae55eb7af9a1f5215ca63366c067d0

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f27d0ce1d6f4f2dc3ca5cd5d21185e04_JaffaCakes118.dll
Size

1.2MB
MD5

f27d0ce1d6f4f2dc3ca5cd5d21185e04
SHA1

ceb9a18cca6d60940ba6817f65b0c7d6c715ba9a
SHA256

eee2e1a66ec290793a4c288e15f1517031ae55eb7af9a1f5215ca63366c067d0
SHA512

55de677ed09b5cae3a18a799b010e09e2e33446f306b858d7b58adfcfc1aab83968320f898f354f28da57e86038b9c93d6a771760a8cc76e8481c1e9cc06a6ea
SSDEEP

24576:PyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:PyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3460-4-0x0000000002D50000-0x0000000002D51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

pid	Process
1900	consent.exe
2900	usocoreworker.exe
2968	wlrmdr.exe
2096	recdisc.exe

Loads dropped DLL 3 IoCs

pid	Process
2900	usocoreworker.exe
2968	wlrmdr.exe
2096	recdisc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wbdoaalrz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-656926755-4116854191-210765258-1000\\DZ\\wlrmdr.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5016	rundll32.exe
5016	rundll32.exe
5016	rundll32.exe
5016	rundll32.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 5092	3460	Process not Found	91
PID 3460 wrote to memory of 5092	3460	Process not Found	91
PID 3460 wrote to memory of 1900	3460	Process not Found	92
PID 3460 wrote to memory of 1900	3460	Process not Found	92
PID 3460 wrote to memory of 1564	3460	Process not Found	93
PID 3460 wrote to memory of 1564	3460	Process not Found	93
PID 3460 wrote to memory of 2900	3460	Process not Found	94
PID 3460 wrote to memory of 2900	3460	Process not Found	94
PID 3460 wrote to memory of 3772	3460	Process not Found	95
PID 3460 wrote to memory of 3772	3460	Process not Found	95
PID 3460 wrote to memory of 2968	3460	Process not Found	96
PID 3460 wrote to memory of 2968	3460	Process not Found	96
PID 3460 wrote to memory of 1156	3460	Process not Found	97
PID 3460 wrote to memory of 1156	3460	Process not Found	97
PID 3460 wrote to memory of 2096	3460	Process not Found	98
PID 3460 wrote to memory of 2096	3460	Process not Found	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f27d0ce1d6f4f2dc3ca5cd5d21185e04_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:5092

C:\Users\Admin\AppData\Local\AslPu\consent.exe
C:\Users\Admin\AppData\Local\AslPu\consent.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:1564

C:\Users\Admin\AppData\Local\g2VtxS\usocoreworker.exe
C:\Users\Admin\AppData\Local\g2VtxS\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2900

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:3772

C:\Users\Admin\AppData\Local\XQskkbjW\wlrmdr.exe
C:\Users\Admin\AppData\Local\XQskkbjW\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2968

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:1156

C:\Users\Admin\AppData\Local\n4bLbgHGp\recdisc.exe
C:\Users\Admin\AppData\Local\n4bLbgHGp\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AslPu\consent.exe

Filesize
162KB

MD5
6646631ce4ad7128762352da81f3b030

SHA1
1095bd4b63360fc2968d75622aa745e5523428ab

SHA256
56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

SHA512
1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

Download Submit
C:\Users\Admin\AppData\Local\XQskkbjW\DUI70.dll

Filesize
1.5MB

MD5
1d9777aa06c9ed15f000912d7ca04a29

SHA1
9508d73126770e8105ab7f89aae94dc883a8a480

SHA256
ded27f2e0eb533ddc392e2588c71e8a341e161a59ed14da01aa8d50d1be09b1b

SHA512
8eb8a7b28c8cc563a432310da2d5302386b86a642c4908c0e82b7db20faea979f5dd05628d0fa9d57f08f890ba13198bf5e9c36f61daec77cf6ad200c1d899dc

Download Submit
C:\Users\Admin\AppData\Local\XQskkbjW\wlrmdr.exe

Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Local\g2VtxS\XmlLite.dll

Filesize
1.2MB

MD5
83a9d1f49af422560f9c0c07cff94efb

SHA1
76800e688286e6e63f9a0ed347c43a962eec9b4c

SHA256
28e2ea830a5b8863dd938a4d1baadf2d97a0e3bac5f8009349f5be21c1a3fcb1

SHA512
d884fcebd7781462a553d0846c0642f36ca188a0f96ae3c084caef4c7f30385e96372694aac20c1444f0b4427efc93662f89fd760bb4691532062cfc6e93b229

Download Submit
C:\Users\Admin\AppData\Local\g2VtxS\usocoreworker.exe

Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\n4bLbgHGp\ReAgent.dll

Filesize
1.2MB

MD5
8262b5db6de879c9c4e6c202cbec6673

SHA1
205555dfaa428d75fe570282bfbf43a2533ba466

SHA256
6e722fd0f4fa23562910bf0e1da7416313bb58b701d80bff4a390c391753482a

SHA512
be82dc5aaebc94be5f2826a917827648275598e14f9e1e03857d6b6dea2b664c812ee51855b07419b14e5739ba45e17ccf35df6cb8586ec440f9cab741640302

Download Submit
C:\Users\Admin\AppData\Local\n4bLbgHGp\recdisc.exe

Filesize
193KB

MD5
18afee6824c84bf5115bada75ff0a3e7

SHA1
d10f287a7176f57b3b2b315a5310d25b449795aa

SHA256
0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

SHA512
517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk

Filesize
1KB

MD5
da7c2175c77fce05306b5d763d5a9d84

SHA1
f8c7a554f322060b376a0f39bf9494c7a9d726e8

SHA256
bb362fcf8c1f1a36589513e4440036a2fb5d503db134a48af1cdea343c22a00f

SHA512
14e5fe184af6df7871a8844b6160a5b88d5a7145cc7485c4a50bcdcd35d3ed4c5d48adf9a4a1d13c7ec11b42923137e1183c2c3238c2b9ab7e60977f4887a428

Download Submit
memory/2096-94-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2900-56-0x000002817A3C0000-0x000002817A3C7000-memory.dmp

Filesize
28KB

Download
memory/2900-59-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2900-53-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2968-72-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2968-75-0x000001B1EF130000-0x000001B1EF137000-memory.dmp

Filesize
28KB

Download
memory/2968-77-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3460-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-5-0x00007FFDF72BA000-0x00007FFDF72BB000-memory.dmp

Filesize
4KB

Download
memory/3460-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-35-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-4-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/3460-25-0x0000000002D30000-0x0000000002D37000-memory.dmp

Filesize
28KB

Download
memory/3460-26-0x00007FFDF8050000-0x00007FFDF8060000-memory.dmp

Filesize
64KB

Download
memory/3460-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3460-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5016-0-0x000002D7CEAB0000-0x000002D7CEAB7000-memory.dmp

Filesize
28KB

Download
memory/5016-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5016-2-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download