dridex | b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4ab

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4abN.dll
Size

864KB
MD5

2c03fc6b7234c76ff6dbe5abd2825560
SHA1

407a3f86da295159b9cab2c43b255a25455ee14b
SHA256

b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4ab
SHA512

3807cc45b91e613805cb2b7763ec31fd96d961896112460c2196bce36a5207a8f567b41c97cc72bc5fd51461fc62cfc77a4f55f8062f41b45f0f8e4065e93acb
SSDEEP

12288:2kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:2kbHkWfzZ5adwLNGeStHntqN7v

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-4-0x0000000002EF0000-0x0000000002EF1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2508-1-0x000007FEF66E0000-0x000007FEF67B8000-memory.dmp	dridex_payload
behavioral1/memory/1188-21-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral1/memory/1188-41-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral1/memory/1188-40-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral1/memory/1188-29-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral1/memory/2508-49-0x000007FEF66E0000-0x000007FEF67B8000-memory.dmp	dridex_payload
behavioral1/memory/2768-58-0x000007FEF67C0000-0x000007FEF6899000-memory.dmp	dridex_payload
behavioral1/memory/2768-63-0x000007FEF67C0000-0x000007FEF6899000-memory.dmp	dridex_payload
behavioral1/memory/576-75-0x000007FEF61C0000-0x000007FEF6299000-memory.dmp	dridex_payload
behavioral1/memory/576-78-0x000007FEF61C0000-0x000007FEF6299000-memory.dmp	dridex_payload
behavioral1/memory/1584-93-0x000007FEF5C30000-0x000007FEF5D09000-memory.dmp	dridex_payload
behavioral1/memory/1584-97-0x000007FEF5C30000-0x000007FEF5D09000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

p2phost.execonsent.exemsconfig.exe

pid	Process
2768	p2phost.exe
576	consent.exe
1584	msconfig.exe

Loads dropped DLL 7 IoCs

Processes:

p2phost.execonsent.exemsconfig.exe

pid	Process
1188
2768	p2phost.exe
1188
576	consent.exe
1188
1584	msconfig.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\dQ4lbs\\consent.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exep2phost.execonsent.exemsconfig.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1188 wrote to memory of 2944	1188	31
PID 1188 wrote to memory of 2944	1188	31
PID 1188 wrote to memory of 2944	1188	31
PID 1188 wrote to memory of 2768	1188	32
PID 1188 wrote to memory of 2768	1188	32
PID 1188 wrote to memory of 2768	1188	32
PID 1188 wrote to memory of 1428	1188	33
PID 1188 wrote to memory of 1428	1188	33
PID 1188 wrote to memory of 1428	1188	33
PID 1188 wrote to memory of 576	1188	34
PID 1188 wrote to memory of 576	1188	34
PID 1188 wrote to memory of 576	1188	34
PID 1188 wrote to memory of 2788	1188	35
PID 1188 wrote to memory of 2788	1188	35
PID 1188 wrote to memory of 2788	1188	35
PID 1188 wrote to memory of 1584	1188	36
PID 1188 wrote to memory of 1584	1188	36
PID 1188 wrote to memory of 1584	1188	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4abN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2508

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2944

C:\Users\Admin\AppData\Local\fpIfT\p2phost.exe
C:\Users\Admin\AppData\Local\fpIfT\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2768

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:1428

C:\Users\Admin\AppData\Local\FGHiXq\consent.exe
C:\Users\Admin\AppData\Local\FGHiXq\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:576

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\medicp\msconfig.exe
C:\Users\Admin\AppData\Local\medicp\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FGHiXq\WTSAPI32.dll

Filesize
868KB

MD5
7a7be83343bc81cefb531d102ab60d16

SHA1
618ab214bd919a15d92ac27a80f0ee8e09403c99

SHA256
cebc64db1d539306110ce307f26f9d4972a7937a18667dc8c9d6a846b2f7e6b8

SHA512
0a5d7c39cbb44279b2dbb4bfe43963af9f178e931b0637c2c9fb84d87e173be7c55ad964c36e8e1dc5ecd826544663f1107ed893f4cd666a079748c707a96402

Download Submit
C:\Users\Admin\AppData\Local\fpIfT\P2PCOLLAB.dll

Filesize
868KB

MD5
4cc2929b4349d7b0010f9b96f35a4d8c

SHA1
6019e355c91f3e956ac25d20088341eb82d87853

SHA256
282e90c61e87f5313a58d5234d2852d14471dd845f424b71b3789df3c8e26e8f

SHA512
17380ffd5d5e4fb90db758716b4cca1804ce77c5f5a481563a26a3cbe0660d09214fa5eb331b486c59080b916fb1999b1cb98a844f5a19a718775381cf33b65a

Download Submit
C:\Users\Admin\AppData\Local\medicp\VERSION.dll

Filesize
868KB

MD5
8596a7b2fc1e66d460ca687f2bb29fff

SHA1
a37efecb2fee7bee7b17585802dd62817a458327

SHA256
c291f2735f4a16b608e199332cedfb7a4448c938bfc41dbb4b1ac9a55ca63dab

SHA512
0de3d593fda2f32dfea23ce8c096e80d907e1b43a6d7fed4574559f70ef811e05dd2b9cb564806d6e8baef85f7535620719ceb1a72f4b1c1bbd4aee005649d1d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk

Filesize
1KB

MD5
fc2e8063272a6cf6135fb2e1e08775e4

SHA1
9aa11cb9703786f84556630765ff9835a6ee7ffc

SHA256
4809796867944be75977d4b4b6017affa4d494c0654e4a49e4d6a98f8d1a2a6c

SHA512
2404180016bf1dc667fa5cf3acd36cc8f7d321876322dc713abcb2ed28c9084d11bdf4f541c4f5d997f195b64282f9a99a61aef392252cb980bfcb29b9548922

Download Submit
\Users\Admin\AppData\Local\FGHiXq\consent.exe

Filesize
109KB

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
\Users\Admin\AppData\Local\fpIfT\p2phost.exe

Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\medicp\msconfig.exe

Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
memory/576-78-0x000007FEF61C0000-0x000007FEF6299000-memory.dmp

Filesize
868KB

Download
memory/576-75-0x000007FEF61C0000-0x000007FEF6299000-memory.dmp

Filesize
868KB

Download
memory/576-77-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1188-31-0x0000000077270000-0x0000000077272000-memory.dmp

Filesize
8KB

Download
memory/1188-50-0x0000000076ED6000-0x0000000076ED7000-memory.dmp

Filesize
4KB

Download
memory/1188-30-0x0000000077240000-0x0000000077242000-memory.dmp

Filesize
8KB

Download
memory/1188-41-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-40-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-29-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-16-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-15-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-14-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-13-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-12-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-11-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-9-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-8-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-7-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-6-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-3-0x0000000076ED6000-0x0000000076ED7000-memory.dmp

Filesize
4KB

Download
memory/1188-4-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1188-18-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-19-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-10-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-17-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-28-0x0000000002ED0000-0x0000000002ED7000-memory.dmp

Filesize
28KB

Download
memory/1188-20-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1188-21-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1584-92-0x00000000000B0000-0x00000000000B7000-memory.dmp

Filesize
28KB

Download
memory/1584-93-0x000007FEF5C30000-0x000007FEF5D09000-memory.dmp

Filesize
868KB

Download
memory/1584-97-0x000007FEF5C30000-0x000007FEF5D09000-memory.dmp

Filesize
868KB

Download
memory/2508-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2508-49-0x000007FEF66E0000-0x000007FEF67B8000-memory.dmp

Filesize
864KB

Download
memory/2508-1-0x000007FEF66E0000-0x000007FEF67B8000-memory.dmp

Filesize
864KB

Download
memory/2768-63-0x000007FEF67C0000-0x000007FEF6899000-memory.dmp

Filesize
868KB

Download
memory/2768-58-0x000007FEF67C0000-0x000007FEF6899000-memory.dmp

Filesize
868KB

Download
memory/2768-60-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download