dridex | 84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243.dll
Size

892KB
MD5

009476457e7f03b7c55a0b468c9be2c1
SHA1

ea8823b66b647bd936a65d9b745d4431378e14e9
SHA256

84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243
SHA512

ef82b8b9c84ac1fe2c1326c2a07a632504786179811f956bfc9c65f203d4fe395981db8891420b18906302d8ff01d63a18bb34e88104c7975b13531fc412d180
SSDEEP

12288:3ZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:3ZK6F7nVeRmDFJivohZFV

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1196-5-0x0000000002D80000-0x0000000002D81000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

sdclt.exefvenotify.exevmicsvc.exe

pid process

2512 sdclt.exe
2000 fvenotify.exe
2984 vmicsvc.exe
Loads dropped DLL 7 IoCs

Processes:

sdclt.exefvenotify.exevmicsvc.exe

pid process

1196
2512 sdclt.exe
1196
2000 fvenotify.exe
1196
2984 vmicsvc.exe
1196

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002D80000-0x0000000002D81000-memory.dmp	dridex_stager_shellcode

pid	process
2512	sdclt.exe
2000	fvenotify.exe
2984	vmicsvc.exe

pid	process
1196
2512	sdclt.exe
1196
2000	fvenotify.exe
1196
2984	vmicsvc.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gdussggr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\smM\\FVENOT~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesdclt.exefvenotify.exevmicsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesdclt.exefvenotify.exe

pid	process
1088	rundll32.exe
1088	rundll32.exe
1088	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
2512	sdclt.exe
2512	sdclt.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
2000	fvenotify.exe
2000	fvenotify.exe
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2624	1196	sdclt.exe
PID 1196 wrote to memory of 2624	1196	sdclt.exe
PID 1196 wrote to memory of 2624	1196	sdclt.exe
PID 1196 wrote to memory of 2512	1196	sdclt.exe
PID 1196 wrote to memory of 2512	1196	sdclt.exe
PID 1196 wrote to memory of 2512	1196	sdclt.exe
PID 1196 wrote to memory of 1028	1196	fvenotify.exe
PID 1196 wrote to memory of 1028	1196	fvenotify.exe
PID 1196 wrote to memory of 1028	1196	fvenotify.exe
PID 1196 wrote to memory of 2000	1196	fvenotify.exe
PID 1196 wrote to memory of 2000	1196	fvenotify.exe
PID 1196 wrote to memory of 2000	1196	fvenotify.exe
PID 1196 wrote to memory of 2864	1196	vmicsvc.exe
PID 1196 wrote to memory of 2864	1196	vmicsvc.exe
PID 1196 wrote to memory of 2864	1196	vmicsvc.exe
PID 1196 wrote to memory of 2984	1196	vmicsvc.exe
PID 1196 wrote to memory of 2984	1196	vmicsvc.exe
PID 1196 wrote to memory of 2984	1196	vmicsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2624

C:\Users\Admin\AppData\Local\LCJKTAnn\sdclt.exe
C:\Users\Admin\AppData\Local\LCJKTAnn\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2512

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:1028

C:\Users\Admin\AppData\Local\sd5V6iw\fvenotify.exe
C:\Users\Admin\AppData\Local\sd5V6iw\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:2864

C:\Users\Admin\AppData\Local\vvgaFrkH\vmicsvc.exe
C:\Users\Admin\AppData\Local\vvgaFrkH\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2984

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LCJKTAnn\sdclt.exe
Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
C:\Users\Admin\AppData\Local\sd5V6iw\slc.dll
Filesize
896KB

MD5
197cb723c8402b1a7956e7425dd9d3a1

SHA1
f0967ab2205c6a49ba4beea550f919ef85cc96a1

SHA256
374333a502848945dd16294008b1bab4cd1d9d516ee50773eefe98f53c10587d

SHA512
4a80fec4f3e260ab2828b303d79b2abd2ac369c0a374779cc42916485d821d1698df026eb4067d7959e86cbee18d606c67bd54bacf55f61b5536eee0e9a163c3

Download Submit
C:\Users\Admin\AppData\Local\vvgaFrkH\ACTIVEDS.dll
Filesize
896KB

MD5
af13f4b26029521582ed2827b9ec0e87

SHA1
a4e1a84af7f86fee0b565d5c0a77645b59b33326

SHA256
ac278603f979e6eb95a965a3a995c568f1dda0ab27ad846ae2e28c62c80c524e

SHA512
213a25c4cc0d877b1671f957a0b6b46c6fada4c452017b8e756b356f4d0463e91ff9611eb15b8d6f3cdfe97fde67a9b18ad78cc587cc88868bea9fdbd14615ea

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Smfbypnq.lnk
Filesize
1KB

MD5
3ee5cedeb4859730accd2f6f54e71621

SHA1
ef4227615fd3196f47f02c3f8dcc03f8e3520383

SHA256
61333aafa8d2c14466b8cb8a2d7bdb5d17eb2fc56111e36431bbc5f79972d0a1

SHA512
563f18682ccd2bb8c9b1ea926f51e08b28e865cc8552ac32752d26933501792655ca50b785b9a2c2a5755e900b70ce0e6d9d779f505f41f046aaf5ae1950f337

Download Submit
\Users\Admin\AppData\Local\LCJKTAnn\wer.dll
Filesize
896KB

MD5
045f1fa4e6f47c851ea75fb652f720c5

SHA1
ca8ca6cca75745be497315c401de5484c1d7ec9d

SHA256
7422d2a47e993b46554f8bc38c605dddc9c3522d1987ca30b3a96b10c2ce619e

SHA512
7cbeb3112014e705fe0675e9c975fd7db6f299f2d3f477795c5306d7a37f9a05255379b2b05df584a4eaa8688466d784a6a39dc35381758699d5acafdf761cd5

Download Submit
\Users\Admin\AppData\Local\sd5V6iw\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\vvgaFrkH\vmicsvc.exe
Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
memory/1088-1-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1088-0-0x000007FEF6A40000-0x000007FEF6B1F000-memory.dmp

Filesize
892KB

Download
memory/1088-11-0x000007FEF6A40000-0x000007FEF6B1F000-memory.dmp

Filesize
892KB

Download
memory/1196-21-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-20-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-44-0x0000000077430000-0x0000000077432000-memory.dmp

Filesize
8KB

Download
memory/1196-45-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-43-0x00000000772D1000-0x00000000772D2000-memory.dmp

Filesize
4KB

Download
memory/1196-40-0x0000000002D60000-0x0000000002D67000-memory.dmp

Filesize
28KB

Download
memory/1196-33-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-32-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-31-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-30-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-29-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-28-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-27-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-25-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-24-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-26-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-54-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-22-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-23-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-4-0x00000000771C6000-0x00000000771C7000-memory.dmp

Filesize
4KB

Download
memory/1196-49-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-39-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-19-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-18-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-17-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-16-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-15-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-13-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-12-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-10-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-9-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-102-0x00000000771C6000-0x00000000771C7000-memory.dmp

Filesize
4KB

Download
memory/1196-14-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-5-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1196-8-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1196-7-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/2000-86-0x000007FEF74F0000-0x000007FEF75D0000-memory.dmp

Filesize
896KB

Download
memory/2000-83-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2000-80-0x000007FEF74F0000-0x000007FEF75D0000-memory.dmp

Filesize
896KB

Download
memory/2512-68-0x000007FEF6A40000-0x000007FEF6B20000-memory.dmp

Filesize
896KB

Download
memory/2512-63-0x000007FEF6A40000-0x000007FEF6B20000-memory.dmp

Filesize
896KB

Download
memory/2984-101-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/2984-105-0x000007FEF74F0000-0x000007FEF75D0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads