dridex | f4cc073cc601127a558b1196c98d6839965545cffad19f38370158a6450e82f3

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-10-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4cc073cc601127a558b1196c98d6839965545cffad19f38370158a6450e82f3.dll
Size

704KB
MD5

32d919c09f97767d7a0c7972b2b52103
SHA1

7a83575a7cab12034630cacb854746978e03e7f5
SHA256

f4cc073cc601127a558b1196c98d6839965545cffad19f38370158a6450e82f3
SHA512

5a1a51e61107464ed813eb6f9131d6a2be7993eaa8c43f7e03222db2a35152998a67924a16a4b91e8a839a11948d925ff94930248b2691cafcb7a26159139ef4
SSDEEP

12288:mEwgKnIhABTW0HcD5a1PKxdZhC+k+V9Hgeb/tf/B9P632vHAA:mEwXnOAx5HcDM1Sxd3ChCHg2/P9yGo

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-4-0x0000000002CF0000-0x0000000002CF1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/1708-1-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1196-25-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1196-37-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1196-36-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1708-45-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/2860-55-0x0000000140000000-0x00000001400B7000-memory.dmp	dridex_payload
behavioral1/memory/2860-58-0x0000000140000000-0x00000001400B7000-memory.dmp	dridex_payload
behavioral1/memory/1252-83-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/1252-87-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/2632-103-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2860	mspaint.exe
1252	dccw.exe
2632	UI0Detect.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
2860	mspaint.exe
1196	Process not Found
1252	dccw.exe
1196	Process not Found
2632	UI0Detect.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dnfwvyvycst = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\70QCLH~1\\dccw.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UI0Detect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2964	1196	Process not Found	31
PID 1196 wrote to memory of 2964	1196	Process not Found	31
PID 1196 wrote to memory of 2964	1196	Process not Found	31
PID 1196 wrote to memory of 2860	1196	Process not Found	32
PID 1196 wrote to memory of 2860	1196	Process not Found	32
PID 1196 wrote to memory of 2860	1196	Process not Found	32
PID 1196 wrote to memory of 2076	1196	Process not Found	33
PID 1196 wrote to memory of 2076	1196	Process not Found	33
PID 1196 wrote to memory of 2076	1196	Process not Found	33
PID 1196 wrote to memory of 1252	1196	Process not Found	34
PID 1196 wrote to memory of 1252	1196	Process not Found	34
PID 1196 wrote to memory of 1252	1196	Process not Found	34
PID 1196 wrote to memory of 1480	1196	Process not Found	35
PID 1196 wrote to memory of 1480	1196	Process not Found	35
PID 1196 wrote to memory of 1480	1196	Process not Found	35
PID 1196 wrote to memory of 2632	1196	Process not Found	36
PID 1196 wrote to memory of 2632	1196	Process not Found	36
PID 1196 wrote to memory of 2632	1196	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4cc073cc601127a558b1196c98d6839965545cffad19f38370158a6450e82f3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:2964

C:\Users\Admin\AppData\Local\pzi3O\mspaint.exe
C:\Users\Admin\AppData\Local\pzi3O\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2860

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2076

C:\Users\Admin\AppData\Local\uZW0xG4p\dccw.exe
C:\Users\Admin\AppData\Local\uZW0xG4p\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1252

C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
1⤵
PID:1480

C:\Users\Admin\AppData\Local\1P8KB6wFT\UI0Detect.exe
C:\Users\Admin\AppData\Local\1P8KB6wFT\UI0Detect.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1P8KB6wFT\WTSAPI32.dll

Filesize
708KB

MD5
1b0d278b79a64cf649fe8ab38158dba9

SHA1
b888df0c4dedb8f7786e7a68190e0d6552b3d45c

SHA256
810ecf11aa5d5ab8b3cd5d4cc3ea877b873be494b6f38f8bfb63dc60a08e6d53

SHA512
0724129e44be9b3f43231b26f016e9a9426bc5465cd1735c38b9a80ab9d5b6ead0358ceb227db1a40ce04fe78fb776ec0888eac816affb3067191ca5cecfdd12

Download Submit
C:\Users\Admin\AppData\Local\pzi3O\MFC42u.dll

Filesize
732KB

MD5
aea3a5f0afbacbb700d80308a4015661

SHA1
e2c37cca838b88fccbf4b9ea098e226f33f4d0c9

SHA256
c105d2097124f62bff6026020c0d5596330cb47e88abe00b480a9978c56f9676

SHA512
b8354452fe32b418a692d4c38f21759cde55f2ae2f3cd3eec3e7b30ad947a95075fc3f421e1473ea8981e3cd60a154b782eda16d46a65422f7ca82254c514259

Download Submit
C:\Users\Admin\AppData\Local\uZW0xG4p\mscms.dll

Filesize
708KB

MD5
a702236f4e6c0eaa610866be52a83d95

SHA1
1540c0dcb6f9e3fd8d17759a2b8a24e17103fc38

SHA256
eefa46f4893f8f6b2c1409643eac512092eff9509a5421d711ac70efbcddbd7d

SHA512
5bb1736ad3c21dfb4585c79f55619d6c71de6c3c8a681ee9b89fda9fb79d980ffe738e137e85cdb8ee5935ad3a5d5411f3609fcc0b97c6f683d5f61ba9a9dca4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk

Filesize
1KB

MD5
175a842b864c4198c92bee3b34cdda23

SHA1
1f805714dacea31d137c201f31aeedafe51acc20

SHA256
eb9dd517f661ace33ae1913206daf9b05dfe7d586ebf14c971d4ffd35f6c935c

SHA512
6ff82b8c4f43669995b3ed207a2e4127304b1a6ce386d7b94032a51a54aba40b59e053dc55a49f4f9a0d92c4a7dad33d03cb96ecf9907378eac374111ae056bb

Download Submit
\Users\Admin\AppData\Local\1P8KB6wFT\UI0Detect.exe

Filesize
40KB

MD5
3cbdec8d06b9968aba702eba076364a1

SHA1
6e0fcaccadbdb5e3293aa3523ec1006d92191c58

SHA256
b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

SHA512
a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

Download Submit
\Users\Admin\AppData\Local\pzi3O\mspaint.exe

Filesize
6.4MB

MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\uZW0xG4p\dccw.exe

Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
memory/1196-26-0x00000000770A0000-0x00000000770A2000-memory.dmp

Filesize
8KB

Download
memory/1196-46-0x0000000076E36000-0x0000000076E37000-memory.dmp

Filesize
4KB

Download
memory/1196-16-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-15-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-14-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-25-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-13-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-11-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-10-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-9-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-27-0x00000000770D0000-0x00000000770D2000-memory.dmp

Filesize
8KB

Download
memory/1196-3-0x0000000076E36000-0x0000000076E37000-memory.dmp

Filesize
4KB

Download
memory/1196-37-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-36-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-4-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/1196-24-0x0000000002CD0000-0x0000000002CD7000-memory.dmp

Filesize
28KB

Download
memory/1196-12-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-6-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-8-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1196-7-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1252-83-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1252-87-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1708-45-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1708-1-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1708-2-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/2632-103-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2860-58-0x0000000140000000-0x00000001400B7000-memory.dmp

Filesize
732KB

Download
memory/2860-55-0x0000000140000000-0x00000001400B7000-memory.dmp

Filesize
732KB

Download
memory/2860-54-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download