dridex | 2c7566a218824ff9c74582e59b3ee42f1c5c780ebb721b145e05baf2b36e499e

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c7566a218824ff9c74582e59b3ee42f1c5c780ebb721b145e05baf2b36e499e.dll
Size

1.1MB
MD5

41f473abe15c43835fe74461cbe40ee7
SHA1

e15b1de311c779e53e83c87f743eb710d660aa91
SHA256

2c7566a218824ff9c74582e59b3ee42f1c5c780ebb721b145e05baf2b36e499e
SHA512

7dab20ca04e4e3e517c255961c8ac301664e8e9b48e9ab0d2f012b161a2a88422d597c8a9ff082d4d50d58c2c57c1c340390720539f8188e845d92b5e0e7ec70
SSDEEP

12288:4kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:4kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1212-4-0x0000000002D90000-0x0000000002D91000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/1936-0-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral1/memory/1212-24-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral1/memory/1212-35-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral1/memory/1212-36-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral1/memory/1936-44-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral1/memory/3064-54-0x0000000140000000-0x0000000140124000-memory.dmp	dridex_payload
behavioral1/memory/3064-58-0x0000000140000000-0x0000000140124000-memory.dmp	dridex_payload
behavioral1/memory/2456-75-0x0000000140000000-0x0000000140124000-memory.dmp	dridex_payload
behavioral1/memory/1428-91-0x0000000140000000-0x0000000140124000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3064	SystemPropertiesAdvanced.exe
2456	fvenotify.exe
1428	SystemPropertiesDataExecutionPrevention.exe

Loads dropped DLL 7 IoCs

pid	Process
1212	Process not Found
3064	SystemPropertiesAdvanced.exe
1212	Process not Found
2456	fvenotify.exe
1212	Process not Found
1428	SystemPropertiesDataExecutionPrevention.exe
1212	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\UNX\\FVENOT~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2804	1212	Process not Found	31
PID 1212 wrote to memory of 2804	1212	Process not Found	31
PID 1212 wrote to memory of 2804	1212	Process not Found	31
PID 1212 wrote to memory of 3064	1212	Process not Found	32
PID 1212 wrote to memory of 3064	1212	Process not Found	32
PID 1212 wrote to memory of 3064	1212	Process not Found	32
PID 1212 wrote to memory of 2892	1212	Process not Found	33
PID 1212 wrote to memory of 2892	1212	Process not Found	33
PID 1212 wrote to memory of 2892	1212	Process not Found	33
PID 1212 wrote to memory of 2456	1212	Process not Found	34
PID 1212 wrote to memory of 2456	1212	Process not Found	34
PID 1212 wrote to memory of 2456	1212	Process not Found	34
PID 1212 wrote to memory of 2020	1212	Process not Found	35
PID 1212 wrote to memory of 2020	1212	Process not Found	35
PID 1212 wrote to memory of 2020	1212	Process not Found	35
PID 1212 wrote to memory of 1428	1212	Process not Found	36
PID 1212 wrote to memory of 1428	1212	Process not Found	36
PID 1212 wrote to memory of 1428	1212	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c7566a218824ff9c74582e59b3ee42f1c5c780ebb721b145e05baf2b36e499e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:2804

C:\Users\Admin\AppData\Local\RQ1AOh\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\RQ1AOh\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3064

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:2892

C:\Users\Admin\AppData\Local\CkdlYR8Bg\fvenotify.exe
C:\Users\Admin\AppData\Local\CkdlYR8Bg\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2456

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2020

C:\Users\Admin\AppData\Local\UtxSpQ7\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\UtxSpQ7\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CkdlYR8Bg\slc.dll

Filesize
1.1MB

MD5
4ff5c9cf756db7bd9abcd9599a8ddfaf

SHA1
64f33de141c999cccc3074f7a549dc98fe28a7c5

SHA256
589ab1c3f6c4a399a5ee3c649ea494b3689923e88df94146dcdfb8828a859780

SHA512
1fc71934be62ca6e35da227b468ccc0ec774d76dbb9697ce9237628751bdd981f100b90049dffe29887dc87c5d8f97228cf98f0e3c006872430a6fe039042aa4

Download Submit
C:\Users\Admin\AppData\Local\RQ1AOh\SYSDM.CPL

Filesize
1.1MB

MD5
d3e161e870f681460991e2518bd026d8

SHA1
0cc9e72e9d51af74a338a7d7c7c33a303731f625

SHA256
c140a443200ad4e7922f68c6459ff9ab0aebbb23f0fe599074dff1ac68adb024

SHA512
66a00f83177c77b4ae062e0674acc29515d549a68f955a2837e8b28cb7b523863d9a79a3e95eb0dae8b85334dd52b91db23bcb0998d1f0f7049764f4c75726d6

Download Submit
C:\Users\Admin\AppData\Local\UtxSpQ7\SYSDM.CPL

Filesize
1.1MB

MD5
4f64739ace6b49c7adfd4d89e828a63d

SHA1
62b349af0ffa5fc9af3be337ed963bac76b3e75e

SHA256
0dbcbcd407b7d65244efac2b62cc4bcc02f170be3f99ed8edec3954b42cb0193

SHA512
4a8757fa3e9d52fce75a2472cfa81100c0e61bd285ed3dbcce84c70e14150a362a30238e03cc50fe3f892471234ac4b5f5e5659b3ec6a41f57bbdc40a9a755dc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1KB

MD5
b76fe9fe33053c6243f4bb65f3559033

SHA1
0c0163ae1291b7605cea4f155296c3e0d52f3207

SHA256
6d8f21f172dff0876559d5ac5a60f874a0b08053eb2940a54031938bfbc9e841

SHA512
c58bee8b3a64519f81e36708a9f9ece6b2e23681bc66904511ac33bedaf518ebaf90244de39e5969f871cfdbde2a4169a5c64c2025465f5df4227c8b8290b502

Download Submit
\Users\Admin\AppData\Local\CkdlYR8Bg\fvenotify.exe

Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\RQ1AOh\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\UtxSpQ7\SystemPropertiesDataExecutionPrevention.exe

Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
memory/1212-25-0x0000000077460000-0x0000000077462000-memory.dmp

Filesize
8KB

Download
memory/1212-9-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-8-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-23-0x0000000002D70000-0x0000000002D77000-memory.dmp

Filesize
28KB

Download
memory/1212-15-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-14-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-7-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-6-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-24-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-13-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-26-0x0000000077490000-0x0000000077492000-memory.dmp

Filesize
8KB

Download
memory/1212-35-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-36-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-12-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-45-0x00000000770F6000-0x00000000770F7000-memory.dmp

Filesize
4KB

Download
memory/1212-10-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-11-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1212-3-0x00000000770F6000-0x00000000770F7000-memory.dmp

Filesize
4KB

Download
memory/1212-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1428-91-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/1936-44-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1936-0-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/1936-2-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2456-70-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2456-75-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/3064-58-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/3064-54-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/3064-53-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download