dridex | 6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b.dll
Size

1.1MB
MD5

e6d1c2e5b87a7ed6ba3589239a6f4df1
SHA1

23b73577254af4ca38171c0414b44bdee8980c50
SHA256

6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b
SHA512

9c6be91ff095cc8828ae4aff713ceb20e098f81e49ba3a2e61c16b9c06d99bfb14604e5074811d2a0de176748b96a06f72ad0a3d3e8b21827d43eb087b1ecae8
SSDEEP

12288:4kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:4kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1180-4-0x00000000025A0000-0x00000000025A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2440-0-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1180-23-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1180-36-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1180-35-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/2440-43-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1500-53-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1500-57-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/3020-74-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2856-86-0x0000000140000000-0x0000000140150000-memory.dmp	dridex_payload
behavioral1/memory/2856-89-0x0000000140000000-0x0000000140150000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1500	recdisc.exe
3020	spreview.exe
2856	Utilman.exe

Loads dropped DLL 7 IoCs

pid	Process
1180	Process not Found
1500	recdisc.exe
1180	Process not Found
3020	spreview.exe
1180	Process not Found
2856	Utilman.exe
1180	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\Jmk7b2\\spreview.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2608	1180	Process not Found	30
PID 1180 wrote to memory of 2608	1180	Process not Found	30
PID 1180 wrote to memory of 2608	1180	Process not Found	30
PID 1180 wrote to memory of 1500	1180	Process not Found	31
PID 1180 wrote to memory of 1500	1180	Process not Found	31
PID 1180 wrote to memory of 1500	1180	Process not Found	31
PID 1180 wrote to memory of 1468	1180	Process not Found	32
PID 1180 wrote to memory of 1468	1180	Process not Found	32
PID 1180 wrote to memory of 1468	1180	Process not Found	32
PID 1180 wrote to memory of 3020	1180	Process not Found	33
PID 1180 wrote to memory of 3020	1180	Process not Found	33
PID 1180 wrote to memory of 3020	1180	Process not Found	33
PID 1180 wrote to memory of 1976	1180	Process not Found	34
PID 1180 wrote to memory of 1976	1180	Process not Found	34
PID 1180 wrote to memory of 1976	1180	Process not Found	34
PID 1180 wrote to memory of 2856	1180	Process not Found	35
PID 1180 wrote to memory of 2856	1180	Process not Found	35
PID 1180 wrote to memory of 2856	1180	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\qsjhvB\recdisc.exe
C:\Users\Admin\AppData\Local\qsjhvB\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1500

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:1468

C:\Users\Admin\AppData\Local\kcwG2\spreview.exe
C:\Users\Admin\AppData\Local\kcwG2\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3020

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:1976

C:\Users\Admin\AppData\Local\zaf\Utilman.exe
C:\Users\Admin\AppData\Local\zaf\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\kcwG2\WINBRAND.dll

Filesize
1.1MB

MD5
d142f2a4e53af3eb929db7ad32fda2ee

SHA1
3a2289498cc60b53522d56246af6e051fbcaf8ae

SHA256
c2a575aeb7ef584413cd5ff598aa3a6dbde3c9692a87d9e265b9177a3f72fd20

SHA512
c743fe2dd1995890e4eb3f8c85592d608cc92657aae1e4595be48525e87cdb88f7735635c023213f1f8d39ebfb322beb71790a9d5411ec90c4535c7404673dff

Download Submit
C:\Users\Admin\AppData\Local\qsjhvB\ReAgent.dll

Filesize
1.1MB

MD5
53b715f92a37b9a14a529f0ce97deaba

SHA1
b263f3fefc97d8d0b0b6078053c44c4340db0dc3

SHA256
ea706ba8fc90120c79e2ba930334551faa8b6df111199c33ea981233a3939ea8

SHA512
677e5de5a66d7fb2c7b6aaa2234029841ff68deb097f52d7cad019b1e50f665f9b720b36648e35ba14d34f1555983a6336c97c522a246547fcc7f19830337db7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
892B

MD5
82bdf4650805fb8dafe3f72eb0e35699

SHA1
820f0400af6ff4c2988e6bc2d69dbfb50e57af06

SHA256
67f240613125c50973912947b69bb3d47c76ea11fafbea1ab8626e093b9b9904

SHA512
867379745a796716a145b68f6390ae8ff7fd2e7055a7c56d7a516d3da3202837547bed9167599969a235fd7c90cd46cbdebc2c09d5110a17b6d122c4ada3a5c8

Download Submit
\Users\Admin\AppData\Local\kcwG2\spreview.exe

Filesize
294KB

MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\qsjhvB\recdisc.exe

Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
\Users\Admin\AppData\Local\zaf\DUI70.dll

Filesize
1.3MB

MD5
b4dc6207c79b4219d594a4b594f940ae

SHA1
1a6c6c5d7c8e29069bc53832fe5579fde6e6ffa9

SHA256
37836c26b1b2f003dab34bf0411bc8b8c276643e8728f3e82ac0e10913cb9abc

SHA512
d0f825fcdd58b0c698b0a4f8f1b8f1e57c19f80baa6ad3ecf3782fcad7f7fe1e845d1405853d3ef25b7456fa2e069f3a769fca7960448f612f807cec608392a0

Download Submit
\Users\Admin\AppData\Local\zaf\Utilman.exe

Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
memory/1180-24-0x00000000773F0000-0x00000000773F2000-memory.dmp

Filesize
8KB

Download
memory/1180-44-0x0000000077086000-0x0000000077087000-memory.dmp

Filesize
4KB

Download
memory/1180-11-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-10-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-8-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-7-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-23-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-22-0x0000000002580000-0x0000000002587000-memory.dmp

Filesize
28KB

Download
memory/1180-25-0x0000000077420000-0x0000000077422000-memory.dmp

Filesize
8KB

Download
memory/1180-3-0x0000000077086000-0x0000000077087000-memory.dmp

Filesize
4KB

Download
memory/1180-36-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-35-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-4-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1180-12-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-13-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-14-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-6-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-9-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1500-57-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1500-52-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1500-53-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2440-43-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2440-2-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2440-0-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2856-86-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2856-89-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3020-69-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/3020-74-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download