dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

13-05-2024 17:36

12-05-2024 17:17

12-05-2024 16:15

10-05-2024 18:05

10-05-2024 17:48

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral11/memory/3536-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

cmstp.exeWFS.exeCloudNotifications.exe

pid process

3184 cmstp.exe
2028 WFS.exe
2144 CloudNotifications.exe
Loads dropped DLL 3 IoCs

Processes:

cmstp.exeWFS.exeCloudNotifications.exe

pid process

3184 cmstp.exe
2028 WFS.exe
2144 CloudNotifications.exe

resource	yara_rule
behavioral11/memory/3536-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp	dridex_stager_shellcode

pid	process
3184	cmstp.exe
2028	WFS.exe
2144	CloudNotifications.exe

pid	process
3184	cmstp.exe
2028	WFS.exe
2144	CloudNotifications.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\4KM\\WFS.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execmstp.exeWFS.exeCloudNotifications.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1464	rundll32.exe
1464	rundll32.exe
1464	rundll32.exe
1464	rundll32.exe
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3536 wrote to memory of 5112	3536	cmstp.exe
PID 3536 wrote to memory of 5112	3536	cmstp.exe
PID 3536 wrote to memory of 3184	3536	cmstp.exe
PID 3536 wrote to memory of 3184	3536	cmstp.exe
PID 3536 wrote to memory of 4596	3536	WFS.exe
PID 3536 wrote to memory of 4596	3536	WFS.exe
PID 3536 wrote to memory of 2028	3536	WFS.exe
PID 3536 wrote to memory of 2028	3536	WFS.exe
PID 3536 wrote to memory of 2548	3536	CloudNotifications.exe
PID 3536 wrote to memory of 2548	3536	CloudNotifications.exe
PID 3536 wrote to memory of 2144	3536	CloudNotifications.exe
PID 3536 wrote to memory of 2144	3536	CloudNotifications.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:5112

C:\Users\Admin\AppData\Local\NNj4rS\cmstp.exe
C:\Users\Admin\AppData\Local\NNj4rS\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3184

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:4596

C:\Users\Admin\AppData\Local\ySwp\WFS.exe
C:\Users\Admin\AppData\Local\ySwp\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2028

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\f8H\CloudNotifications.exe
C:\Users\Admin\AppData\Local\f8H\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NNj4rS\VERSION.dll
Filesize
1.2MB

MD5
84408343ba07da6f98e6b0a18707917b

SHA1
800a6144eba3a751f093d345602ba1beef58e3e9

SHA256
d76db6d9d99f7a197a7cf700b0045bbedf3f8c44a6f3a214cb40fdd154fe0988

SHA512
19536f9c1f2dce0a71bdcc5ae78ff1066fa7bdcad58783e4da65a03a4f3d616912dfd4dac128693dfe393ac6545c44b9d01082ebb468983541e3d19713264639

Download Submit
C:\Users\Admin\AppData\Local\NNj4rS\cmstp.exe
Filesize
96KB

MD5
4cc43fe4d397ff79fa69f397e016df52

SHA1
8fd6cf81ad40c9b123cd75611860a8b95c72869c

SHA256
f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

SHA512
851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

Download Submit
C:\Users\Admin\AppData\Local\f8H\CloudNotifications.exe
Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\f8H\UxTheme.dll
Filesize
1.2MB

MD5
1e694dcb23ac2db0f1513aa6b79c2e5e

SHA1
f3e6c3a841782a8d920ce64ecccbe7524f9f68e8

SHA256
e7a2310762f16e536522da16bb80cbe15faaec852084d1de2669212557669c05

SHA512
e43e744612ffcd8f46ec644527ac431b0f1c439ecf340f574d9cb0cc0132fae73aa75b0dc0777ce204ae6c536a1141adc67584b88f8f260569dfde0d8ae0e407

Download Submit
C:\Users\Admin\AppData\Local\ySwp\WFS.exe
Filesize
944KB

MD5
3cbc8d0f65e3db6c76c119ed7c2ffd85

SHA1
e74f794d86196e3bbb852522479946cceeed7e01

SHA256
e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

SHA512
26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

Download Submit
C:\Users\Admin\AppData\Local\ySwp\WINMM.dll
Filesize
1.2MB

MD5
39974e2f3e0492a98f280abce8e83f99

SHA1
45dc0ca68133a11cf95b04a3aabb1ab8f64ba375

SHA256
74c6fa10e71c3088e7908b394e72ebec57bf3a3ed92ce33303160bf4723e0d89

SHA512
bd3ab514871f5d1b716383ac38cce9d63cb01ca03227bbd9e0cd54db145276a299d041eb91dd5446cfb8e283d5dff4a8ee5eb8e134d17531dfd3a3d2991a7144

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
83548801a2dd0bc34dac11b3a57de64b

SHA1
d5d5802f10598d2af97c09f3542ee7869790574f

SHA256
c02634b220084aaa1e2276eb935a3345ab2e2601d4aadbc1a3a081007813df19

SHA512
378cc135d2e946b8f502c04c95c30e44072ecef8fd7aa2a373a456f60fd134583d70879217fafee0fe52ba1c13a6f08b9e4acbbc9fb83101742d01ff391f7bea

Download Submit
memory/1464-3-0x0000021580DD0000-0x0000021580DD7000-memory.dmp

Filesize
28KB

Download
memory/1464-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1464-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2028-66-0x0000022C445F0000-0x0000022C445F7000-memory.dmp

Filesize
28KB

Download
memory/2028-63-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2028-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2144-80-0x0000019CECC90000-0x0000019CECC97000-memory.dmp

Filesize
28KB

Download
memory/2144-86-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3184-51-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3184-52-0x0000024DD8970000-0x0000024DD8977000-memory.dmp

Filesize
28KB

Download
memory/3184-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3536-33-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/3536-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-34-0x00007FFE4CD4A000-0x00007FFE4CD4B000-memory.dmp

Filesize
4KB

Download
memory/3536-35-0x0000000002EB0000-0x0000000002EB7000-memory.dmp

Filesize
28KB

Download
memory/3536-37-0x00007FFE4E510000-0x00007FFE4E520000-memory.dmp

Filesize
64KB

Download
memory/3536-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3536-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download