dridex | 096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0.dll
Size

1.1MB
MD5

29b4a43d6fa90c2c28824982c991da5d
SHA1

f4693227a98c1b9a031bb6ad182c5f20b83de5f1
SHA256

096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0
SHA512

88fa077dc53d0bef81cdfc3d6da7f44ffc77ca3bdd5fd1818c37c0e9327fdd5b1749945393289b87f7aa2f0a2ddb11b924cea0861e83960bd858f7e353f43f2c
SSDEEP

12288:LkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:LkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1184-4-0x0000000002520000-0x0000000002521000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2644-0-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1184-24-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1184-36-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1184-35-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2644-44-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/3060-53-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/3060-58-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/2936-70-0x0000000140000000-0x0000000140120000-memory.dmp	dridex_payload
behavioral1/memory/2936-73-0x0000000140000000-0x0000000140120000-memory.dmp	dridex_payload
behavioral1/memory/592-97-0x0000000140000000-0x0000000140120000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3060	cttune.exe
2936	mspaint.exe
592	consent.exe

Loads dropped DLL 7 IoCs

pid	Process
1184	Process not Found
3060	cttune.exe
1184	Process not Found
2936	mspaint.exe
1184	Process not Found
592	consent.exe
1184	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\z6GuIom\\mspaint.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	rundll32.exe
2644	rundll32.exe
2644	rundll32.exe
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2628	1184	Process not Found	30
PID 1184 wrote to memory of 2628	1184	Process not Found	30
PID 1184 wrote to memory of 2628	1184	Process not Found	30
PID 1184 wrote to memory of 3060	1184	Process not Found	31
PID 1184 wrote to memory of 3060	1184	Process not Found	31
PID 1184 wrote to memory of 3060	1184	Process not Found	31
PID 1184 wrote to memory of 2896	1184	Process not Found	32
PID 1184 wrote to memory of 2896	1184	Process not Found	32
PID 1184 wrote to memory of 2896	1184	Process not Found	32
PID 1184 wrote to memory of 2936	1184	Process not Found	33
PID 1184 wrote to memory of 2936	1184	Process not Found	33
PID 1184 wrote to memory of 2936	1184	Process not Found	33
PID 1184 wrote to memory of 636	1184	Process not Found	34
PID 1184 wrote to memory of 636	1184	Process not Found	34
PID 1184 wrote to memory of 636	1184	Process not Found	34
PID 1184 wrote to memory of 592	1184	Process not Found	35
PID 1184 wrote to memory of 592	1184	Process not Found	35
PID 1184 wrote to memory of 592	1184	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2628

C:\Users\Admin\AppData\Local\GtP7\cttune.exe
C:\Users\Admin\AppData\Local\GtP7\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3060

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:2896

C:\Users\Admin\AppData\Local\WAYPv38b\mspaint.exe
C:\Users\Admin\AppData\Local\WAYPv38b\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2936

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:636

C:\Users\Admin\AppData\Local\sWPnD\consent.exe
C:\Users\Admin\AppData\Local\sWPnD\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WAYPv38b\WINMM.dll

Filesize
1.1MB

MD5
c746afb32ebd908f760db317d8f1718d

SHA1
6653b5e6243a39c1e412c91f94919210ff047474

SHA256
e5072341e561fd63d08d3f14caf219ee0f167e4b3d957024c26f43a65df9986b

SHA512
3cea5261eb6bd3ece6dd8e43a6021aac5f295cb0d781e37e0acf05d770159e064c69cc545d15e3d6accfed5ff31d821031e9466580019d6ead8771ee2defe7eb

Download Submit
C:\Users\Admin\AppData\Local\sWPnD\WINMM.dll

Filesize
1.1MB

MD5
76eccc677a679c8c412b9b715ecc99ad

SHA1
f46df3320c5459a7c0ee6653d3c26ce285bdc3f7

SHA256
6e3a320f6655e7c22d3a59357608141e1a4c039a9a937d2f803cc9285de86e2a

SHA512
fe21a588e7e1bda4b539b5abbe4b073b9daba8891864dae813a39a6e5aee218c16eeb7d0e5293801a960ebf12cd57c700bdc3f9db5aeda5ba7349e73832acbd3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
730B

MD5
314871b6af3918bc9d331cc66825c523

SHA1
9760c4f77ee6fa99245a74b4dfa5f862d56fd5f6

SHA256
26e8c9cbead10e61a5b5f6e8089dda51d16469603d79768bc57e8dec80917b49

SHA512
501dae852205dffb374ac30ef682ecaa1fe288dc0f7058a8e312d41a0f310126ddee744316f0ea7119f689569a4bf41593aa1badb97e4c77aa3210a79184ae2d

Download Submit
\Users\Admin\AppData\Local\GtP7\OLEACC.dll

Filesize
1.1MB

MD5
b9d90510a0b5fac999226a4d55c153c1

SHA1
ab31f200c64926b5e2012ac0109a858672104de7

SHA256
15003fb1725efe07e514d200a92e1a675de701b3e98025856c1aa11a884b3cd8

SHA512
f89f5179f2730bc6ee8b30e18f99862b34a94c3e139fb58d30a2c52f620429dbc8ef211a94c7b38c5b00ffc7c4a130972654be882a63f3ed5d1913a9f9c817c1

Download Submit
\Users\Admin\AppData\Local\GtP7\cttune.exe

Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Local\WAYPv38b\mspaint.exe

Filesize
6.4MB

MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\sWPnD\consent.exe

Filesize
109KB

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
memory/592-97-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/1184-26-0x00000000778E0000-0x00000000778E2000-memory.dmp

Filesize
8KB

Download
memory/1184-45-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/1184-10-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-9-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-8-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-7-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-6-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-24-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-3-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/1184-25-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1184-36-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-35-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-4-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1184-11-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-23-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/1184-14-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-13-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-12-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1184-15-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2644-44-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2644-0-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2644-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2936-70-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/2936-73-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/3060-58-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/3060-55-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/3060-53-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download