dridex | 9ab41214f6da199b862e32c80e37be8276ba4c54452ad4ce541b3663168f8997

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab41214f6da199b862e32c80e37be8276ba4c54452ad4ce541b3663168f8997.dll
Size

1.1MB
MD5

cf827ba49ebc6808cdc2946c97e697ae
SHA1

79f5163acc6e05138b311d3cc74d4c3cd3dc3d73
SHA256

9ab41214f6da199b862e32c80e37be8276ba4c54452ad4ce541b3663168f8997
SHA512

d3f7bff530fd6e18144eb544f7ce46e61a178bebe4d0625989f8a50c51ee076f0b41a07d6c5c9da0acf120027173fa18a30571dbe78ad45036410e357ac91af2
SSDEEP

12288:akMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:akMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1184-4-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2276-0-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1184-24-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1184-36-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1184-35-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2276-44-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2576-54-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/2576-58-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/3048-74-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/1988-90-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2576	SystemPropertiesComputerName.exe
3048	OptionalFeatures.exe
1988	SystemPropertiesDataExecutionPrevention.exe

Loads dropped DLL 7 IoCs

pid	Process
1184	Process not Found
2576	SystemPropertiesComputerName.exe
1184	Process not Found
3048	OptionalFeatures.exe
1184	Process not Found
1988	SystemPropertiesDataExecutionPrevention.exe
1184	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\0P2D2K~1\\OPTION~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	rundll32.exe
2276	rundll32.exe
2276	rundll32.exe
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2832	1184	Process not Found	31
PID 1184 wrote to memory of 2832	1184	Process not Found	31
PID 1184 wrote to memory of 2832	1184	Process not Found	31
PID 1184 wrote to memory of 2576	1184	Process not Found	32
PID 1184 wrote to memory of 2576	1184	Process not Found	32
PID 1184 wrote to memory of 2576	1184	Process not Found	32
PID 1184 wrote to memory of 2660	1184	Process not Found	33
PID 1184 wrote to memory of 2660	1184	Process not Found	33
PID 1184 wrote to memory of 2660	1184	Process not Found	33
PID 1184 wrote to memory of 3048	1184	Process not Found	34
PID 1184 wrote to memory of 3048	1184	Process not Found	34
PID 1184 wrote to memory of 3048	1184	Process not Found	34
PID 1184 wrote to memory of 2780	1184	Process not Found	35
PID 1184 wrote to memory of 2780	1184	Process not Found	35
PID 1184 wrote to memory of 2780	1184	Process not Found	35
PID 1184 wrote to memory of 1988	1184	Process not Found	36
PID 1184 wrote to memory of 1988	1184	Process not Found	36
PID 1184 wrote to memory of 1988	1184	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ab41214f6da199b862e32c80e37be8276ba4c54452ad4ce541b3663168f8997.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2832

C:\Users\Admin\AppData\Local\fqc9\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\fqc9\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2576

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:2660

C:\Users\Admin\AppData\Local\aGZkv43tF\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\aGZkv43tF\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3048

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2780

C:\Users\Admin\AppData\Local\wMhiBxkGn\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\wMhiBxkGn\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\aGZkv43tF\appwiz.cpl

Filesize
1.1MB

MD5
a093dfe1dc1ba7751945066924520f40

SHA1
1d91ea996bb7fd5c8c33f3d5d658092bebd0e455

SHA256
a1c53e0b20d6c711c2c81c90b0586db090aa43867b643a80f0bdc7cd3f4dd1e1

SHA512
76ca7de73dc8b3910248be059d00050718424c1b0aae062806c365902adb6c410628907753b9970e570b67a67160ebc342c5026af874ae5521a5b994763c05e4

Download Submit
C:\Users\Admin\AppData\Local\fqc9\SYSDM.CPL

Filesize
1.1MB

MD5
4592fcf199e0a30ca3a533fecbe8e30b

SHA1
7bce32f1687fb5df7fd0da6b7dac4674c99bcb8b

SHA256
fce76b10d2dde0db2cf3cd840fb9a0b8f1e4a3ba90b58bcc5481294c818634ea

SHA512
46b088100519ffe3bce1b46ecdcb275661fff704fea8cec8c818e22def9414950a1df72a9032219876143298b876fd2b88f3cc170059204242fb1982c3afff78

Download Submit
C:\Users\Admin\AppData\Local\wMhiBxkGn\SYSDM.CPL

Filesize
1.1MB

MD5
1760c67d64a678fa9a9eb8994d0e5717

SHA1
ffba25d6a7c43091c9145399d4dbd7dd0066090f

SHA256
16dc29fd6f3978e146a2d322fd81073168419b2c5883f31ede246f630f7b78d6

SHA512
41108f2cfc14abb6718131ce39148fd1ea49005a9648041a16aa0f7ad6b0a2744532c91655489d7b4b8b752580843afcc4426b331f5b6519f01b63e88aa80915

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1KB

MD5
89c4376c05d7c726a04d719dc396b68c

SHA1
cb3a100f7a487e862675d2c682ad076146523410

SHA256
c6221ee0439b35081e75fbd09888b88abc2a246ef96ea70941fab1fa8ce8927e

SHA512
4f56e8f889fca98df563dc06308a968c7c0d467c517aa4df22f4c9b84fc7d79b569977e0286f49c5f2ebdc074c4cd68aeef978b6e6c0db9d4307c0eb6fb6fb86

Download Submit
\Users\Admin\AppData\Local\aGZkv43tF\OptionalFeatures.exe

Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\fqc9\SystemPropertiesComputerName.exe

Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\wMhiBxkGn\SystemPropertiesDataExecutionPrevention.exe

Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
memory/1184-8-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-15-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-26-0x0000000077290000-0x0000000077292000-memory.dmp

Filesize
8KB

Download
memory/1184-25-0x0000000077260000-0x0000000077262000-memory.dmp

Filesize
8KB

Download
memory/1184-24-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-14-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-12-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-9-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-10-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-6-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-23-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1184-36-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-35-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-13-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-45-0x0000000076FF6000-0x0000000076FF7000-memory.dmp

Filesize
4KB

Download
memory/1184-11-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-7-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-3-0x0000000076FF6000-0x0000000076FF7000-memory.dmp

Filesize
4KB

Download
memory/1184-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1988-90-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2276-44-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2276-0-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2276-2-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2576-58-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2576-54-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2576-53-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/3048-74-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download