dridex | 44b1063452fdb12ba26b5e6c2b2b1f71330b165f1ab8cbb2f199c048f519e8cb

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44b1063452fdb12ba26b5e6c2b2b1f71330b165f1ab8cbb2f199c048f519e8cb.dll
Size

940KB
MD5

2d9b177ec1f707009b9a808af771d99a
SHA1

a390ee7e32d4c73c0eca3b23134cd990684d4a67
SHA256

44b1063452fdb12ba26b5e6c2b2b1f71330b165f1ab8cbb2f199c048f519e8cb
SHA512

bcc1b7b6a32d43adfb20e81b095d842a1d7c0e197a1f742189cfbdd6fe96f24336f39de968f304ab7955ce66197aaf9ff3a99e12252eadd5adfe6ee6b94849d7
SSDEEP

12288:CPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:CtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/292-0-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1196-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1196-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1196-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/292-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2640-54-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2640-58-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2228-75-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1648-91-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2640	SystemPropertiesProtection.exe
2228	UI0Detect.exe
1648	OptionalFeatures.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
2640	SystemPropertiesProtection.exe
1196	Process not Found
2228	UI0Detect.exe
1196	Process not Found
1648	OptionalFeatures.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\9hRKe1g\\UI0Detect.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UI0Detect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
292	regsvr32.exe
292	regsvr32.exe
292	regsvr32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2908	1196	Process not Found	31
PID 1196 wrote to memory of 2908	1196	Process not Found	31
PID 1196 wrote to memory of 2908	1196	Process not Found	31
PID 1196 wrote to memory of 2640	1196	Process not Found	32
PID 1196 wrote to memory of 2640	1196	Process not Found	32
PID 1196 wrote to memory of 2640	1196	Process not Found	32
PID 1196 wrote to memory of 2688	1196	Process not Found	33
PID 1196 wrote to memory of 2688	1196	Process not Found	33
PID 1196 wrote to memory of 2688	1196	Process not Found	33
PID 1196 wrote to memory of 2228	1196	Process not Found	34
PID 1196 wrote to memory of 2228	1196	Process not Found	34
PID 1196 wrote to memory of 2228	1196	Process not Found	34
PID 1196 wrote to memory of 1416	1196	Process not Found	35
PID 1196 wrote to memory of 1416	1196	Process not Found	35
PID 1196 wrote to memory of 1416	1196	Process not Found	35
PID 1196 wrote to memory of 1648	1196	Process not Found	36
PID 1196 wrote to memory of 1648	1196	Process not Found	36
PID 1196 wrote to memory of 1648	1196	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\44b1063452fdb12ba26b5e6c2b2b1f71330b165f1ab8cbb2f199c048f519e8cb.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:292

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:2908

C:\Users\Admin\AppData\Local\GpQujY\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\GpQujY\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640

C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
1⤵
PID:2688

C:\Users\Admin\AppData\Local\u18Pc4U\UI0Detect.exe
C:\Users\Admin\AppData\Local\u18Pc4U\UI0Detect.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2228

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:1416

C:\Users\Admin\AppData\Local\RIm\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\RIm\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GpQujY\SYSDM.CPL

Filesize
944KB

MD5
a18f4a39ce0f990c2b1e5ac2090b3196

SHA1
c9202a90e94b071ea84c5019179e0902d733afbd

SHA256
b27765f996d36718e15657245a664e8adbfe500b598da0ede844c1a7c2aac7c0

SHA512
74d945a20c30440267ae4278d6b8dd27908c2dd2dc346d292e2ea7800399fe8d368a9fd34dd76c1ff1131daae209dd2bb0cd922e44f1508bad9541a555af3ebd

Download Submit
C:\Users\Admin\AppData\Local\RIm\appwiz.cpl

Filesize
944KB

MD5
93bc6d626ccf0c0686c7e39e917d9a49

SHA1
74595079dfc35076c912f8949177fe149e196897

SHA256
0d367bebd2a32125ba05dfeab33daf2e8908fdea05123e1c7466bc6e8af3c2f4

SHA512
33e65b16a4e55e69fc9bfda63838d703be0593dfe301c964deb2416a6c7c1b47b9c66e0b19b113e19ab50bb105fa5f4017f18b9670d8e9f6b73b3fb6bd30be40

Download Submit
C:\Users\Admin\AppData\Local\u18Pc4U\UI0Detect.exe

Filesize
40KB

MD5
3cbdec8d06b9968aba702eba076364a1

SHA1
6e0fcaccadbdb5e3293aa3523ec1006d92191c58

SHA256
b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

SHA512
a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

Download Submit
C:\Users\Admin\AppData\Local\u18Pc4U\VERSION.dll

Filesize
944KB

MD5
bb7c68e9e8b2bccf6b880f981260f2ca

SHA1
e46fdbd3d536cbb57fbf33ce24f2318437aff4c1

SHA256
840b971e26d6a95cf93d604bc983933182db19fcf089374a467b395e139507f4

SHA512
1e1119493d86ab8ab1bee8b379572da580729d8240cb87672f94b6f3513389c86c4ceb709b07bd132c4d971e940ecf87882920f16f6c56b8de388e4e0c974035

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
493c1476f0916fea3b14518c786c032b

SHA1
74b758c2e026fa681203ee11456726b6bc607fe0

SHA256
0717566cad7fe5b7dcf08cebcb3a90bee40b82fbfab7daa1df6a2bdbf170c96c

SHA512
efd34abf141469ce53524e6551303e4893a0a8a374c5018d49dfc7092aacb08800a775d9099d67dcf3514bd5615b00c99002c2c478bf4c0db80f7266f4a39837

Download Submit
\Users\Admin\AppData\Local\GpQujY\SystemPropertiesProtection.exe

Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\RIm\OptionalFeatures.exe

Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
memory/292-2-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/292-0-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/292-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-26-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/1196-23-0x0000000002E00000-0x0000000002E07000-memory.dmp

Filesize
28KB

Download
memory/1196-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-25-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/1196-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-45-0x0000000077256000-0x0000000077257000-memory.dmp

Filesize
4KB

Download
memory/1196-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-3-0x0000000077256000-0x0000000077257000-memory.dmp

Filesize
4KB

Download
memory/1196-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/1196-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1648-91-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2228-70-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2228-75-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2640-58-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2640-54-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2640-53-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download