dridex | 6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b.dll
Size

1.1MB
MD5

e6d1c2e5b87a7ed6ba3589239a6f4df1
SHA1

23b73577254af4ca38171c0414b44bdee8980c50
SHA256

6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b
SHA512

9c6be91ff095cc8828ae4aff713ceb20e098f81e49ba3a2e61c16b9c06d99bfb14604e5074811d2a0de176748b96a06f72ad0a3d3e8b21827d43eb087b1ecae8
SSDEEP

12288:4kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:4kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1188-4-0x0000000002230000-0x0000000002231000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2492-1-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1188-23-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1188-34-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1188-35-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/2492-43-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/2616-53-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral1/memory/2616-57-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral1/memory/1524-70-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1524-72-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1476-92-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2616	msinfo32.exe
1524	SystemPropertiesHardware.exe
1476	dccw.exe

Loads dropped DLL 7 IoCs

pid	Process
1188	Process not Found
2616	msinfo32.exe
1188	Process not Found
1524	SystemPropertiesHardware.exe
1188	Process not Found
1476	dccw.exe
1188	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\FDTp\\SystemPropertiesHardware.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	rundll32.exe
2492	rundll32.exe
2492	rundll32.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2256	1188	Process not Found	30
PID 1188 wrote to memory of 2256	1188	Process not Found	30
PID 1188 wrote to memory of 2256	1188	Process not Found	30
PID 1188 wrote to memory of 2616	1188	Process not Found	31
PID 1188 wrote to memory of 2616	1188	Process not Found	31
PID 1188 wrote to memory of 2616	1188	Process not Found	31
PID 1188 wrote to memory of 1308	1188	Process not Found	32
PID 1188 wrote to memory of 1308	1188	Process not Found	32
PID 1188 wrote to memory of 1308	1188	Process not Found	32
PID 1188 wrote to memory of 1524	1188	Process not Found	33
PID 1188 wrote to memory of 1524	1188	Process not Found	33
PID 1188 wrote to memory of 1524	1188	Process not Found	33
PID 1188 wrote to memory of 3008	1188	Process not Found	34
PID 1188 wrote to memory of 3008	1188	Process not Found	34
PID 1188 wrote to memory of 3008	1188	Process not Found	34
PID 1188 wrote to memory of 1476	1188	Process not Found	35
PID 1188 wrote to memory of 1476	1188	Process not Found	35
PID 1188 wrote to memory of 1476	1188	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2256

C:\Users\Admin\AppData\Local\OQJDD\msinfo32.exe
C:\Users\Admin\AppData\Local\OQJDD\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2616

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1308

C:\Users\Admin\AppData\Local\ULzKcC\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\ULzKcC\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1524

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:3008

C:\Users\Admin\AppData\Local\sChfc\dccw.exe
C:\Users\Admin\AppData\Local\sChfc\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OQJDD\MFC42u.dll

Filesize
1.1MB

MD5
367095dd230858cc92c296542ecb31a7

SHA1
274d074d9324caaec11a47b62f64687f95228851

SHA256
789fdec0eca28ecd6f235521ab87c2e10e9aa834819cc5eb12df0d5d3a89cb9a

SHA512
c029a99e2a3aa7bed723952c96d836e6d6183c3bf47244e7d7cba9ef7bfae727f0e6b6e764353849a5a394b68785a4c8102b6eb1a881ce41f68cd208dd1c3f67

Download Submit
C:\Users\Admin\AppData\Local\ULzKcC\SYSDM.CPL

Filesize
1.1MB

MD5
ea724deef4e968dfe455c2f0d5c817d3

SHA1
481baff3f6216324719fb7fdd411c98780933cda

SHA256
214558365b0931405985fc282e06cb1f90287c2471eed1e3b6ced5d73dbeef95

SHA512
29e6da09d15030879d8c6e62c1d59cf9fb1518c7c13b47c5660781f5d8368d81416d0fe2ea3d78d7efcd66e7dec72080f3fa7561bf8c7c74145714f3f8770c4e

Download Submit
C:\Users\Admin\AppData\Local\sChfc\mscms.dll

Filesize
1.1MB

MD5
a8bf5ba4ef1707c07f99f6abef5b9432

SHA1
5c5e3f38cc8d632267eb0aa375368c2e7352c58c

SHA256
7b5a16d1c0bd4e0c09f9067a70d930af705edf91270a5a79419ea50286dc66eb

SHA512
defa6cce5ac44ecf3ec91d6cd6a0f742a0a5b315597bba73ce627c938a76cacaa6bc7c38ada725d90d8dbd4b16506960a49f9beed240f00b1768e61b92d8e2f8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
ded051e73bb404d3ac502e13b256b120

SHA1
a3d78456a098575329075cfa54bc1561232aa3b0

SHA256
a6e2e981d84c2557d86ad627f0cdcc5af8af0d130f3be4c07ab88e09be590ea9

SHA512
39301e1b26ae9486d797ab1fd8e7c1ef761b3874cf482092fb784acbd6abb58ee7d937eae42bfe78114f66b794c3c2ef31c23b5ce073d886cecada7eb1aab0b3

Download Submit
\Users\Admin\AppData\Local\OQJDD\msinfo32.exe

Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
\Users\Admin\AppData\Local\ULzKcC\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\sChfc\dccw.exe

Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
memory/1188-24-0x0000000077E20000-0x0000000077E22000-memory.dmp

Filesize
8KB

Download
memory/1188-44-0x0000000077BB6000-0x0000000077BB7000-memory.dmp

Filesize
4KB

Download
memory/1188-11-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-10-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-9-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-8-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-7-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-23-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-25-0x0000000077E50000-0x0000000077E52000-memory.dmp

Filesize
8KB

Download
memory/1188-3-0x0000000077BB6000-0x0000000077BB7000-memory.dmp

Filesize
4KB

Download
memory/1188-34-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-35-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-4-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1188-13-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-14-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-22-0x0000000002210000-0x0000000002217000-memory.dmp

Filesize
28KB

Download
memory/1188-6-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1188-12-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1476-92-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1524-69-0x0000000000210000-0x0000000000217000-memory.dmp

Filesize
28KB

Download
memory/1524-70-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1524-72-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2492-43-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2492-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2492-1-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2616-57-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/2616-53-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/2616-52-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download