dridex | 1b5c27cfe83c97a8a00dffd74caa9464e5a52bd2ffcac5382db378ef008f49d2

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5c27cfe83c97a8a00dffd74caa9464e5a52bd2ffcac5382db378ef008f49d2.dll
Size

1.5MB
MD5

39273691ed194c18055810147be4d04f
SHA1

09e52e5ef498c927672313f1b9899d0697929bf1
SHA256

1b5c27cfe83c97a8a00dffd74caa9464e5a52bd2ffcac5382db378ef008f49d2
SHA512

923ab6d6db240e2605ae869ee9c05bc3bf15889c516a5a0fa7483065fb6a539dbcc28eaa1ad44ec7569da980117bca055255abf370fb6e2ba1846f283135859c
SSDEEP

12288:lXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:5B/Qn0rbD8UZUDtgIiemI51Mwtewkm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002F20000-0x0000000002F21000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2544-2-0x000007FEF6410000-0x000007FEF658E000-memory.dmp	dridex_payload
behavioral1/memory/1196-30-0x0000000140000000-0x000000014017E000-memory.dmp	dridex_payload
behavioral1/memory/1196-22-0x0000000140000000-0x000000014017E000-memory.dmp	dridex_payload
behavioral1/memory/1196-41-0x0000000140000000-0x000000014017E000-memory.dmp	dridex_payload
behavioral1/memory/1196-42-0x0000000140000000-0x000000014017E000-memory.dmp	dridex_payload
behavioral1/memory/2544-50-0x000007FEF6410000-0x000007FEF658E000-memory.dmp	dridex_payload
behavioral1/memory/2972-59-0x000007FEF6410000-0x000007FEF658F000-memory.dmp	dridex_payload
behavioral1/memory/2972-64-0x000007FEF6410000-0x000007FEF658F000-memory.dmp	dridex_payload
behavioral1/memory/1412-77-0x000007FEF5EF0000-0x000007FEF606F000-memory.dmp	dridex_payload
behavioral1/memory/1412-81-0x000007FEF5EF0000-0x000007FEF606F000-memory.dmp	dridex_payload
behavioral1/memory/2924-97-0x000007FEF5EF0000-0x000007FEF606F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2972	PresentationSettings.exe
1412	SystemPropertiesHardware.exe
2924	OptionalFeatures.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
2972	PresentationSettings.exe
1196	Process not Found
1412	SystemPropertiesHardware.exe
1196	Process not Found
2924	OptionalFeatures.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Excel\\NK\\SystemPropertiesHardware.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2700	1196	Process not Found	31
PID 1196 wrote to memory of 2700	1196	Process not Found	31
PID 1196 wrote to memory of 2700	1196	Process not Found	31
PID 1196 wrote to memory of 2972	1196	Process not Found	32
PID 1196 wrote to memory of 2972	1196	Process not Found	32
PID 1196 wrote to memory of 2972	1196	Process not Found	32
PID 1196 wrote to memory of 2228	1196	Process not Found	33
PID 1196 wrote to memory of 2228	1196	Process not Found	33
PID 1196 wrote to memory of 2228	1196	Process not Found	33
PID 1196 wrote to memory of 1412	1196	Process not Found	34
PID 1196 wrote to memory of 1412	1196	Process not Found	34
PID 1196 wrote to memory of 1412	1196	Process not Found	34
PID 1196 wrote to memory of 2948	1196	Process not Found	35
PID 1196 wrote to memory of 2948	1196	Process not Found	35
PID 1196 wrote to memory of 2948	1196	Process not Found	35
PID 1196 wrote to memory of 2924	1196	Process not Found	36
PID 1196 wrote to memory of 2924	1196	Process not Found	36
PID 1196 wrote to memory of 2924	1196	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b5c27cfe83c97a8a00dffd74caa9464e5a52bd2ffcac5382db378ef008f49d2.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2700

C:\Users\Admin\AppData\Local\JxJCyqA3\PresentationSettings.exe
C:\Users\Admin\AppData\Local\JxJCyqA3\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2972

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:2228

C:\Users\Admin\AppData\Local\pYgGyYEzG\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\pYgGyYEzG\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1412

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:2948

C:\Users\Admin\AppData\Local\EzQu8TE\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\EzQu8TE\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EzQu8TE\appwiz.cpl

Filesize
1.5MB

MD5
f05e0d864bbb1fc150e390800f9a2496

SHA1
f32d3ef441d79ac3247cc9dfc0a01da26f8eab2f

SHA256
ba1bf9700823f2f17dfc43b1dd530d37169ae527aa58a7bcae1cd8ccc37767ff

SHA512
822c3ad190c392cd9831439025ee6d77eb2271df45d83b9ed45b8e02a5bed4987e0adc6b092404e426a82128120f82fe3667f9f045e59b768b8e357adca78a07

Download Submit
C:\Users\Admin\AppData\Local\JxJCyqA3\slc.dll

Filesize
1.5MB

MD5
0bac2b2436fd25c6c3882ae85aa8d2c5

SHA1
0d470f0b118bc2f616a9978512032552bcc4154b

SHA256
20faae17db5cc93234e8b06bbdff644cfa97a5993b23bef3c4b331df7c87dad8

SHA512
2638868c59808a1df533a0d790360f793ebbb3f9441455d01965ba4df377c431e6da172fe1051e1c4853ead93b75ea326fb7f7beeb4044d822e221645dd40ec1

Download Submit
C:\Users\Admin\AppData\Local\pYgGyYEzG\SYSDM.CPL

Filesize
1.5MB

MD5
70201977a954b91656ca78b1b6b088d3

SHA1
2159c9c823334e9b5a84b7566df51a578be2c82b

SHA256
e54fd041e3440ebaff127333b028d61079532024d5940f19a299668693856597

SHA512
b72149142a6bf827d9278a6a104bc46c8be57649cbfab666321c4d09427c9abfbcb2ac710fcaef89179a206101b4f8cc9b8c8638f4bdf0ed76a22e86695181cf

Download Submit
C:\Users\Admin\AppData\Local\pYgGyYEzG\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
a2db026da66c9bff372ef29d738fbe0e

SHA1
be3961412ab5a720165eb6f9cb5296101191c753

SHA256
01e57491ff1a203302d6920edef3d298ee967b926708e8041b5ec8de84bb874f

SHA512
aa75e05d9bd04a26b808192fe326004e66484ee762fefe04a00b5263dea2499b374543cf5744e8817b122553cd967d6a9bbb253b8f61f87cc7737f380e79d284

Download Submit
\Users\Admin\AppData\Local\EzQu8TE\OptionalFeatures.exe

Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\JxJCyqA3\PresentationSettings.exe

Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
memory/1196-10-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-11-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-9-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-3-0x0000000077256000-0x0000000077257000-memory.dmp

Filesize
4KB

Download
memory/1196-32-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/1196-31-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/1196-30-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-29-0x0000000002E00000-0x0000000002E07000-memory.dmp

Filesize
28KB

Download
memory/1196-22-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-21-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-20-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-19-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-18-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-17-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-16-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-15-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-14-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-8-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-41-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-42-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-5-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1196-51-0x0000000077256000-0x0000000077257000-memory.dmp

Filesize
4KB

Download
memory/1196-12-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-6-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-7-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1196-13-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1412-76-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1412-77-0x000007FEF5EF0000-0x000007FEF606F000-memory.dmp

Filesize
1.5MB

Download
memory/1412-81-0x000007FEF5EF0000-0x000007FEF606F000-memory.dmp

Filesize
1.5MB

Download
memory/2544-50-0x000007FEF6410000-0x000007FEF658E000-memory.dmp

Filesize
1.5MB

Download
memory/2544-2-0x000007FEF6410000-0x000007FEF658E000-memory.dmp

Filesize
1.5MB

Download
memory/2544-0-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/2924-97-0x000007FEF5EF0000-0x000007FEF606F000-memory.dmp

Filesize
1.5MB

Download
memory/2972-64-0x000007FEF6410000-0x000007FEF658F000-memory.dmp

Filesize
1.5MB

Download
memory/2972-61-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2972-59-0x000007FEF6410000-0x000007FEF658F000-memory.dmp

Filesize
1.5MB

Download