dridex | c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e.dll
Size

672KB
MD5

d7b6390737e5cbc33070d66723208014
SHA1

d8706c8648e39289dabead6db0f9d5094048bcd7
SHA256

c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e
SHA512

b168072d2f1c92383f9336484b3cf1595eeba37602718b0a295d1fbacc6255967bacd9fff2090e48570086a104b8f94bf637c2a32ab84a87feef0ede9fa6fa0c
SSDEEP

6144:K34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:KIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1176-4-0x0000000002EF0000-0x0000000002EF1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2920-0-0x000007FEF7B50000-0x000007FEF7BF8000-memory.dmp	dridex_payload
behavioral1/memory/1176-16-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1176-24-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1176-36-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1176-35-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/2920-44-0x000007FEF7B50000-0x000007FEF7BF8000-memory.dmp	dridex_payload
behavioral1/memory/2536-54-0x000007FEF7C00000-0x000007FEF7CA9000-memory.dmp	dridex_payload
behavioral1/memory/2536-58-0x000007FEF7C00000-0x000007FEF7CA9000-memory.dmp	dridex_payload
behavioral1/memory/992-71-0x000007FEF7110000-0x000007FEF71BF000-memory.dmp	dridex_payload
behavioral1/memory/992-73-0x000007FEF7110000-0x000007FEF71BF000-memory.dmp	dridex_payload
behavioral1/memory/2812-87-0x000007FEF6C90000-0x000007FEF6D3A000-memory.dmp	dridex_payload
behavioral1/memory/2812-91-0x000007FEF6C90000-0x000007FEF6D3A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2536	mblctr.exe
992	DevicePairingWizard.exe
2812	rrinstaller.exe

Loads dropped DLL 7 IoCs

pid	Process
1176	Process not Found
2536	mblctr.exe
1176	Process not Found
992	DevicePairingWizard.exe
1176	Process not Found
2812	rrinstaller.exe
1176	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\N5pl\\DEVICE~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	rundll32.exe
2920	rundll32.exe
2920	rundll32.exe
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found
2536	mblctr.exe
2536	mblctr.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2492	1176	Process not Found	28
PID 1176 wrote to memory of 2492	1176	Process not Found	28
PID 1176 wrote to memory of 2492	1176	Process not Found	28
PID 1176 wrote to memory of 2536	1176	Process not Found	29
PID 1176 wrote to memory of 2536	1176	Process not Found	29
PID 1176 wrote to memory of 2536	1176	Process not Found	29
PID 1176 wrote to memory of 568	1176	Process not Found	30
PID 1176 wrote to memory of 568	1176	Process not Found	30
PID 1176 wrote to memory of 568	1176	Process not Found	30
PID 1176 wrote to memory of 992	1176	Process not Found	31
PID 1176 wrote to memory of 992	1176	Process not Found	31
PID 1176 wrote to memory of 992	1176	Process not Found	31
PID 1176 wrote to memory of 2796	1176	Process not Found	32
PID 1176 wrote to memory of 2796	1176	Process not Found	32
PID 1176 wrote to memory of 2796	1176	Process not Found	32
PID 1176 wrote to memory of 2812	1176	Process not Found	33
PID 1176 wrote to memory of 2812	1176	Process not Found	33
PID 1176 wrote to memory of 2812	1176	Process not Found	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:2492

C:\Users\Admin\AppData\Local\WGYEFPVLH\mblctr.exe
C:\Users\Admin\AppData\Local\WGYEFPVLH\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2536

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:568

C:\Users\Admin\AppData\Local\9LDOhwI\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\9LDOhwI\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:992

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\ddik\rrinstaller.exe
C:\Users\Admin\AppData\Local\ddik\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9LDOhwI\MFC42u.dll

Filesize
700KB

MD5
451c79cd6095840232f24c5f3384519d

SHA1
c19f9383439ff678e8e6934eb48ce80a57e1abdb

SHA256
43c655245074ebd37ce59bf86ec30b1710632509bbb58161b3818d3f73f0169c

SHA512
313bad710b535dd9974a9ab8f046ee3fc62f37f924634769e7f4e567d694b1f1df79a52d32dcb96936ed269df6c5bcdba73adc68ed5ebc3e9d2bece99dab6944

Download Submit
C:\Users\Admin\AppData\Local\ddik\MFPlat.DLL

Filesize
680KB

MD5
adc53308df92b480bdea907ecb872cdc

SHA1
4770c9eccaf7c6b04ed5315765ccbabcaa41c772

SHA256
6dfb1ebbbfde182d5715e7d975b57189aab6d4c603c4bbfb51c2d49e64929578

SHA512
3592198e931457dab8b80b52a0e147b0551ddcaedc3a91fbee56655fd915112b71def94d4f1e0d163b074403f5b98ce3b7bf725aa75ef1b631943d2c1fdc1cc5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
a6f98bc2e5a55d754c8d10c504a28d2a

SHA1
cb002d43de0b2106a5e760844f0c3ba1aff0a161

SHA256
0865ae53a047e1f906c55e1a19eec305fd657c1854f53ece7e37c85ae2a1916f

SHA512
01f076ffa1d3fe5d33c1c9e6b979779efb1ab32b5924817557deba152edc5c4c336648fdd24a4af27599cdafdcc1a0f98ed37fe084108e35b5013b6d159cb17d

Download Submit
\Users\Admin\AppData\Local\9LDOhwI\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\WGYEFPVLH\dwmapi.dll

Filesize
676KB

MD5
c1caf1e2a9615b797dbf1687a96cf894

SHA1
d8db212ca5fb92cf024328490e1fa5b1627e35ea

SHA256
11b5f13e80813e8bf83d1925b16eb00677cb82fcb66079198660c3861a352c1d

SHA512
f084c7536001de7ac247bed43195b47a9c17393268b48ca4b5165060bcc397fb992e570e9ec2e627801fdeb3da86a9244977d665859134af01b5e63926a4b5a8

Download Submit
\Users\Admin\AppData\Local\WGYEFPVLH\mblctr.exe

Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
\Users\Admin\AppData\Local\ddik\rrinstaller.exe

Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
memory/992-73-0x000007FEF7110000-0x000007FEF71BF000-memory.dmp

Filesize
700KB

Download
memory/992-71-0x000007FEF7110000-0x000007FEF71BF000-memory.dmp

Filesize
700KB

Download
memory/992-70-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1176-25-0x0000000077E30000-0x0000000077E32000-memory.dmp

Filesize
8KB

Download
memory/1176-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-24-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-26-0x0000000077E60000-0x0000000077E62000-memory.dmp

Filesize
8KB

Download
memory/1176-3-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

Filesize
4KB

Download
memory/1176-36-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-35-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-4-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1176-45-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

Filesize
4KB

Download
memory/1176-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1176-23-0x0000000002ED0000-0x0000000002ED7000-memory.dmp

Filesize
28KB

Download
memory/1176-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/2536-58-0x000007FEF7C00000-0x000007FEF7CA9000-memory.dmp

Filesize
676KB

Download
memory/2536-54-0x000007FEF7C00000-0x000007FEF7CA9000-memory.dmp

Filesize
676KB

Download
memory/2536-53-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2812-87-0x000007FEF6C90000-0x000007FEF6D3A000-memory.dmp

Filesize
680KB

Download
memory/2812-91-0x000007FEF6C90000-0x000007FEF6D3A000-memory.dmp

Filesize
680KB

Download
memory/2920-44-0x000007FEF7B50000-0x000007FEF7BF8000-memory.dmp

Filesize
672KB

Download
memory/2920-0-0x000007FEF7B50000-0x000007FEF7BF8000-memory.dmp

Filesize
672KB

Download
memory/2920-2-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download