dridex | 9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll
Size

1.2MB
MD5

02cc0f2d0a0c7407558ac5a569c4e04c
SHA1

4b7060c03c224e42c420651368c73dbddcc3a3e3
SHA256

9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7
SHA512

ac134e657c9ec47511245fdcbf717221a83eda2faea7e57560a59e212efa9312f4f13abc29b81be6210405680f507c5d921c4f6fe9ec933249c093e342eef554
SSDEEP

6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTI:kIKp/UWCZdCDh2IZDwAFRpR6Aup

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1188-4-0x0000000002AF0000-0x0000000002AF1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2132-0-0x000007FEF6210000-0x000007FEF6343000-memory.dmp	dridex_payload
behavioral1/memory/1188-26-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/1188-18-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/1188-38-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/1188-37-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/2132-46-0x000007FEF6210000-0x000007FEF6343000-memory.dmp	dridex_payload
behavioral1/memory/2640-55-0x000007FEF68A0000-0x000007FEF69D4000-memory.dmp	dridex_payload
behavioral1/memory/2640-60-0x000007FEF68A0000-0x000007FEF69D4000-memory.dmp	dridex_payload
behavioral1/memory/2504-73-0x000007FEF6210000-0x000007FEF6344000-memory.dmp	dridex_payload
behavioral1/memory/2504-77-0x000007FEF6210000-0x000007FEF6344000-memory.dmp	dridex_payload
behavioral1/memory/1508-93-0x000007FEF6210000-0x000007FEF6344000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2640	OptionalFeatures.exe
2504	fveprompt.exe
1508	rstrui.exe

Loads dropped DLL 7 IoCs

pid	Process
1188	Process not Found
2640	OptionalFeatures.exe
1188	Process not Found
2504	fveprompt.exe
1188	Process not Found
1508	rstrui.exe
1188	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\e9\\fveprompt.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	rundll32.exe
2132	rundll32.exe
2132	rundll32.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2304	1188	Process not Found	31
PID 1188 wrote to memory of 2304	1188	Process not Found	31
PID 1188 wrote to memory of 2304	1188	Process not Found	31
PID 1188 wrote to memory of 2640	1188	Process not Found	32
PID 1188 wrote to memory of 2640	1188	Process not Found	32
PID 1188 wrote to memory of 2640	1188	Process not Found	32
PID 1188 wrote to memory of 2100	1188	Process not Found	33
PID 1188 wrote to memory of 2100	1188	Process not Found	33
PID 1188 wrote to memory of 2100	1188	Process not Found	33
PID 1188 wrote to memory of 2504	1188	Process not Found	34
PID 1188 wrote to memory of 2504	1188	Process not Found	34
PID 1188 wrote to memory of 2504	1188	Process not Found	34
PID 1188 wrote to memory of 2296	1188	Process not Found	36
PID 1188 wrote to memory of 2296	1188	Process not Found	36
PID 1188 wrote to memory of 2296	1188	Process not Found	36
PID 1188 wrote to memory of 1508	1188	Process not Found	37
PID 1188 wrote to memory of 1508	1188	Process not Found	37
PID 1188 wrote to memory of 1508	1188	Process not Found	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2132

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:2304

C:\Users\Admin\AppData\Local\VuZm\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\VuZm\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:2100

C:\Users\Admin\AppData\Local\NwV0\fveprompt.exe
C:\Users\Admin\AppData\Local\NwV0\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2504

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:2296

C:\Users\Admin\AppData\Local\wHUP0J\rstrui.exe
C:\Users\Admin\AppData\Local\wHUP0J\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NwV0\slc.dll

Filesize
1.2MB

MD5
a86cfaaef710ed77d55060e9d8b4ae67

SHA1
cf6d68a1634d261ec9d3baad02749bc88c2830e9

SHA256
4f5d9f16a365d3e9f35d4afa8119e492a81b4a8516f069d23911752306efece4

SHA512
ad9c37bb3df50b0481a851101422c52be3ec89cd651c741c03603a20f9758190e22e129ee119fe682fc1f511f1b717c3f9d0e4612839aee747a33eb088d28f2d

Download Submit
C:\Users\Admin\AppData\Local\VuZm\appwiz.cpl

Filesize
1.2MB

MD5
d8a9d1cdc11652bebca2c388271712e5

SHA1
2ec077f512ef571c0f882c30e6c991a372cb1b26

SHA256
d6df7ae1573ff045611fefb0b80950a93be07a5f330a01976c51f43667f52b6d

SHA512
2a670f62fe9202893ed14907cad4e2dfdf1c9632bc066e3df98e0f1879a70403b6e9d2bb246b527b34b0d90f46c1c8d6e5950b3dc50062f1aaf335a494340000

Download Submit
C:\Users\Admin\AppData\Local\wHUP0J\SPP.dll

Filesize
1.2MB

MD5
31cec24b52d9eb251e64e5df2d8d1e75

SHA1
10d0cbf5c7d883ab80a1f169504b35767b2738a5

SHA256
ca2babe6c21554f0d041382bdf7cb951ee76499346fb9b7f80b0729f92e734d8

SHA512
314e16b4bdde882e6338e68edd778804f21dda0f618dddb7ce55d6af6cd9484302be26ee0acacd6db7d877762f10da624b404794f665fb0487ff630e7d80c62d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
de07ae315c7233b66057b516106493d6

SHA1
ac053406aad22db394315992751ca26bb42a714e

SHA256
6d37217184797ee61e0aa4ad73c1b82b28a622c25873398855c714d1b2ec2b61

SHA512
bfe4863605b897538263c00dba82548c449fdd088c68c597b90a22fbb4807bdb801ea43cfa8e2da15675b97d6b219d53105f2d4e35c6d434b8d28dc34184f1f5

Download Submit
\Users\Admin\AppData\Local\NwV0\fveprompt.exe

Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\VuZm\OptionalFeatures.exe

Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\wHUP0J\rstrui.exe

Filesize
290KB

MD5
3db5a1eace7f3049ecc49fa64461e254

SHA1
7dc64e4f75741b93804cbae365e10dc70592c6a9

SHA256
ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

SHA512
ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

Download Submit
memory/1188-12-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-37-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-11-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-26-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-25-0x00000000029F0000-0x00000000029F7000-memory.dmp

Filesize
28KB

Download
memory/1188-18-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-17-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-16-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-15-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-14-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-13-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-3-0x0000000077066000-0x0000000077067000-memory.dmp

Filesize
4KB

Download
memory/1188-27-0x00000000772D0000-0x00000000772D2000-memory.dmp

Filesize
8KB

Download
memory/1188-28-0x0000000077300000-0x0000000077302000-memory.dmp

Filesize
8KB

Download
memory/1188-38-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-10-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-4-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1188-47-0x0000000077066000-0x0000000077067000-memory.dmp

Filesize
4KB

Download
memory/1188-6-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-7-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-9-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1188-8-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1508-93-0x000007FEF6210000-0x000007FEF6344000-memory.dmp

Filesize
1.2MB

Download
memory/2132-46-0x000007FEF6210000-0x000007FEF6343000-memory.dmp

Filesize
1.2MB

Download
memory/2132-0-0x000007FEF6210000-0x000007FEF6343000-memory.dmp

Filesize
1.2MB

Download
memory/2132-2-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2504-72-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2504-73-0x000007FEF6210000-0x000007FEF6344000-memory.dmp

Filesize
1.2MB

Download
memory/2504-77-0x000007FEF6210000-0x000007FEF6344000-memory.dmp

Filesize
1.2MB

Download
memory/2640-60-0x000007FEF68A0000-0x000007FEF69D4000-memory.dmp

Filesize
1.2MB

Download
memory/2640-57-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2640-55-0x000007FEF68A0000-0x000007FEF69D4000-memory.dmp

Filesize
1.2MB

Download