dridex | 853fd5a309facb5739f2b61179c602a459515520a8ee9b884ec8fbd636d966fd

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

853fd5a309facb5739f2b61179c602a459515520a8ee9b884ec8fbd636d966fdN.dll
Size

768KB
MD5

4036dc41e4bc5c472e86a2dc02c292b0
SHA1

c14cf9abcf8e5fafc902fa201cb179e5fe4c4a34
SHA256

853fd5a309facb5739f2b61179c602a459515520a8ee9b884ec8fbd636d966fd
SHA512

a6a13d5e17af68104f7f2f5ddd06737c41bc23b9ca0a67908c643c6dfe9ec57b1562bc576564e07bc060c0620328741e92688e6b3faee16c1cde33abcf582d14
SSDEEP

12288:66BBWGJW6eC85Df97+yXUj7SncCxj8iHGo59S1WQSCtEdFO7YKJf6:66BQBjlc728jo7S1bl6FbK

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1360-5-0x0000000002490000-0x0000000002491000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2704	SystemPropertiesRemote.exe
2272	FXSCOVER.exe
2348	rdpinit.exe

Loads dropped DLL 7 IoCs

pid	Process
1360	Process not Found
2704	SystemPropertiesRemote.exe
1360	Process not Found
2272	FXSCOVER.exe
1360	Process not Found
2348	rdpinit.exe
1360	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2703099537-420551529-3771253338-1000\\YsUSh\\FXSCOVER.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	rundll32.exe
2748	rundll32.exe
2748	rundll32.exe
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2672	1360	Process not Found	30
PID 1360 wrote to memory of 2672	1360	Process not Found	30
PID 1360 wrote to memory of 2672	1360	Process not Found	30
PID 1360 wrote to memory of 2704	1360	Process not Found	31
PID 1360 wrote to memory of 2704	1360	Process not Found	31
PID 1360 wrote to memory of 2704	1360	Process not Found	31
PID 1360 wrote to memory of 1788	1360	Process not Found	32
PID 1360 wrote to memory of 1788	1360	Process not Found	32
PID 1360 wrote to memory of 1788	1360	Process not Found	32
PID 1360 wrote to memory of 2272	1360	Process not Found	33
PID 1360 wrote to memory of 2272	1360	Process not Found	33
PID 1360 wrote to memory of 2272	1360	Process not Found	33
PID 1360 wrote to memory of 2084	1360	Process not Found	34
PID 1360 wrote to memory of 2084	1360	Process not Found	34
PID 1360 wrote to memory of 2084	1360	Process not Found	34
PID 1360 wrote to memory of 2348	1360	Process not Found	35
PID 1360 wrote to memory of 2348	1360	Process not Found	35
PID 1360 wrote to memory of 2348	1360	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\853fd5a309facb5739f2b61179c602a459515520a8ee9b884ec8fbd636d966fdN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2672

C:\Users\Admin\AppData\Local\8GhoKy\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\8GhoKy\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2704

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1788

C:\Users\Admin\AppData\Local\bPopUo\FXSCOVER.exe
C:\Users\Admin\AppData\Local\bPopUo\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2272

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2084

C:\Users\Admin\AppData\Local\SOsXb\rdpinit.exe
C:\Users\Admin\AppData\Local\SOsXb\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8GhoKy\SYSDM.CPL

Filesize
772KB

MD5
8923f00b2c4278b4318a1e586ea5d3a5

SHA1
06a0186dd6b7ef2a597375ac624cf3fca91f6ddf

SHA256
45e5a28cddeb7c9fa0a40a7c6887a14a9e1bf5af6b17df6c3d3b3726b91cb95f

SHA512
59b2a953b42259d8d84d24aa5dc76d9b09147b73c8036e7c6edc4e60d7f7208b9d3258e8df6597398bb00d8b47bcf4368e3a351e98b5b746d1c94a9b6e2cfb79

Download Submit
C:\Users\Admin\AppData\Local\SOsXb\slc.dll

Filesize
772KB

MD5
5be918a9959467ddd7b368958aa24c3f

SHA1
4275692164b1912e037ad252ec585b4e93a6715c

SHA256
e9732f1737652ba5d5cf721b6960509f7456d02c93065db5b5772171fa889d42

SHA512
1df5bcfe9390951da71594ce86da4355a440616ad7ba6350dbba27f46579ec4b49b932357deb9cf2d9fe5cc6c9231f2aad76bd9e5a4eabd2dddc3fdb0b35260a

Download Submit
C:\Users\Admin\AppData\Local\bPopUo\MFC42u.dll

Filesize
796KB

MD5
c521476e4fe6481225615b42d0ebba6d

SHA1
c51339126ab8680c6d2dd6c2b6ed007c4d604aed

SHA256
e7f72ecf9aee9d2c6e0090ff47d0d53ba53504f233b49a07cb3ee2dce8f64efb

SHA512
436423dcc68cc20728f8328127d0dec12d70dcd52e2bcce807ee658481294893862be47996ce7809f318e0947b75e0c6d5b25226b11a553ecab0ff186489fb30

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
993B

MD5
8fc12c4b51fae87605b3303886810f31

SHA1
ef379f8e746516e780f9c61cf4060ea023483a53

SHA256
aff562f5f6889a1684f0fd722a4bfefc3d5f3b8b5920322e68c43b1a176683da

SHA512
a395d4944cdf42c63fac9bdbb844a5575355c0820ef886573c1f5e8f65c5822073e943c6221c9ecd8fcdf1a1eb706c286f502b547052a060a9e6c9ed78d126d2

Download Submit
\Users\Admin\AppData\Local\8GhoKy\SystemPropertiesRemote.exe

Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\SOsXb\rdpinit.exe

Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\bPopUo\FXSCOVER.exe

Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
memory/1360-26-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-7-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-34-0x0000000002470000-0x0000000002477000-memory.dmp

Filesize
28KB

Download
memory/1360-33-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-4-0x0000000077046000-0x0000000077047000-memory.dmp

Filesize
4KB

Download
memory/1360-25-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-24-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-23-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-22-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-17-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-16-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-15-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-14-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-13-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-12-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-11-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-10-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-9-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-8-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-35-0x0000000077251000-0x0000000077252000-memory.dmp

Filesize
4KB

Download
memory/1360-38-0x00000000773E0000-0x00000000773E2000-memory.dmp

Filesize
8KB

Download
memory/1360-45-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-46-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-5-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1360-55-0x0000000077046000-0x0000000077047000-memory.dmp

Filesize
4KB

Download
memory/1360-18-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-19-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-21-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1360-20-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2272-84-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/2272-81-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/2272-87-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/2348-104-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/2704-69-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/2704-64-0x0000000140000000-0x00000001400C1000-memory.dmp

Filesize
772KB

Download
memory/2704-63-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2748-54-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2748-3-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2748-0-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download