dridex | 7dad2b337bedd59fa33e751f31a5ae20f4b23b18bf63f47459f303b4ea462236

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ccd309cb3d6064a84f92ed732b8b87e_JaffaCakes118.dll
Size

988KB
MD5

7ccd309cb3d6064a84f92ed732b8b87e
SHA1

c65b2b78d37f299953d4116e2b87814c3fc50af4
SHA256

7dad2b337bedd59fa33e751f31a5ae20f4b23b18bf63f47459f303b4ea462236
SHA512

e34242852d187ebd11896bce63e61b5821d2222c3243f235692c36bbe452e08a89255e2da53a04d0970b6acf2cf031e81dbb7cd8afc80ecfe847a9451cbb19c1
SSDEEP

24576:mVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:mV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3516-4-0x00000000087A0000-0x00000000087A1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 4 IoCs

Processes:

consent.exeunregmp2.exeSysResetErr.exeCloudNotifications.exe

pid process

2028 consent.exe
908 unregmp2.exe
4120 SysResetErr.exe
2720 CloudNotifications.exe
Loads dropped DLL 3 IoCs

Processes:

unregmp2.exeSysResetErr.exeCloudNotifications.exe

pid process

908 unregmp2.exe
4120 SysResetErr.exe
2720 CloudNotifications.exe

resource	yara_rule
behavioral2/memory/3516-4-0x00000000087A0000-0x00000000087A1000-memory.dmp	dridex_stager_shellcode

pid	process
2028	consent.exe
908	unregmp2.exe
4120	SysResetErr.exe
2720	CloudNotifications.exe

pid	process
908	unregmp2.exe
4120	SysResetErr.exe
2720	CloudNotifications.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\dxcW\\SysResetErr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeunregmp2.exeSysResetErr.exeCloudNotifications.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3936	rundll32.exe
3936	rundll32.exe
3936	rundll32.exe
3936	rundll32.exe
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3516
3516
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3516

pid	process
3516
3516

pid	process
3516

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3516 wrote to memory of 4572	3516	consent.exe
PID 3516 wrote to memory of 4572	3516	consent.exe
PID 3516 wrote to memory of 2028	3516	consent.exe
PID 3516 wrote to memory of 2028	3516	consent.exe
PID 3516 wrote to memory of 4788	3516	unregmp2.exe
PID 3516 wrote to memory of 4788	3516	unregmp2.exe
PID 3516 wrote to memory of 908	3516	unregmp2.exe
PID 3516 wrote to memory of 908	3516	unregmp2.exe
PID 3516 wrote to memory of 4620	3516	SysResetErr.exe
PID 3516 wrote to memory of 4620	3516	SysResetErr.exe
PID 3516 wrote to memory of 4120	3516	SysResetErr.exe
PID 3516 wrote to memory of 4120	3516	SysResetErr.exe
PID 3516 wrote to memory of 632	3516	CloudNotifications.exe
PID 3516 wrote to memory of 632	3516	CloudNotifications.exe
PID 3516 wrote to memory of 2720	3516	CloudNotifications.exe
PID 3516 wrote to memory of 2720	3516	CloudNotifications.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ccd309cb3d6064a84f92ed732b8b87e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:4572

C:\Users\Admin\AppData\Local\kShlJD\consent.exe
C:\Users\Admin\AppData\Local\kShlJD\consent.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:4788

C:\Users\Admin\AppData\Local\P68OC\unregmp2.exe
C:\Users\Admin\AppData\Local\P68OC\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:908

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:4620

C:\Users\Admin\AppData\Local\Mu1\SysResetErr.exe
C:\Users\Admin\AppData\Local\Mu1\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4120

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:632

C:\Users\Admin\AppData\Local\Qcvj\CloudNotifications.exe
C:\Users\Admin\AppData\Local\Qcvj\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mu1\DUI70.dll
Filesize
1.2MB

MD5
cf04c09e5819bc5f646713919bc7a277

SHA1
d50ff9500dc1f96752951b29cfdd40c9a50244b5

SHA256
b683fd658466eddee99d98badd6be22453c4bae2b528a9ad9a53a76add36e7a7

SHA512
67c08da6a6bd872970f5765c4df6965ac226eb27651135111d820afc38251d8c317ae495673e9aef440ee1acbfef3ccc544b4f028f4151bc66ebb7c6ddfb2093

Download Submit
C:\Users\Admin\AppData\Local\Mu1\SysResetErr.exe
Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\P68OC\VERSION.dll
Filesize
989KB

MD5
153aff5ca7c7bdb18178ce9e97d3ecfa

SHA1
2d4f2db5683555531e5f87bbd4bc7be44b4df4d3

SHA256
4164e12439c4b8fa34ccca81cd23abc43508acbff27a8844f494531cb952020e

SHA512
4b1a59b59cf0d146d05f5bef649e2f64e3900cf0b9943ff050f42b05b07208dff7d281b2d13e9dafc0ee59bc9787c536b2734d1253452a6a3e96a37e41099701

Download Submit
C:\Users\Admin\AppData\Local\P68OC\unregmp2.exe
Filesize
259KB

MD5
a6fc8ce566dec7c5873cb9d02d7b874e

SHA1
a30040967f75df85a1e3927bdce159b102011a61

SHA256
21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

SHA512
f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

Download Submit
C:\Users\Admin\AppData\Local\Qcvj\CloudNotifications.exe
Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\Qcvj\UxTheme.dll
Filesize
991KB

MD5
5b2dba77128632d2085cd0bfd0c58d2f

SHA1
8fd11277e2dba9b3c5dc400f6da8538207acec99

SHA256
b29cd5ddde0e1cdfae46689a56c95e57c86c5f4605862edd2007d66a0ebccdb2

SHA512
be60dc417bb87500d0543e9aa62a4b0b7b68918ef225ea2fabcb37bd7bfe017b9935d8fcd5811e8372bbfc4c62817c7126bdceeaa444c9d5ac6f9ae1d5ea826e

Download Submit
C:\Users\Admin\AppData\Local\kShlJD\consent.exe
Filesize
162KB

MD5
6646631ce4ad7128762352da81f3b030

SHA1
1095bd4b63360fc2968d75622aa745e5523428ab

SHA256
56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

SHA512
1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnk
Filesize
834B

MD5
e3fd9a7dd98324f8815caa8f2cf3327a

SHA1
3a993b0742cbe4848bd8b65a26695396e3e26fd4

SHA256
41ae870670dd7a1ef67c7ff56acc671c3c35db340162545c990ffdc90036bf5f

SHA512
9a6ab704e499dce8c64ea5a44f1c3297c77e5e3c91c6e3bf4b9bf5e84f6ee0094be458f489312f666c7e7546a8e7c60b8bc29ca3ca785e0a8bb00321aa042b02

Download Submit
memory/908-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/908-55-0x000001C1E7220000-0x000001C1E7227000-memory.dmp

Filesize
28KB

Download
memory/908-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2720-91-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3516-27-0x0000000008780000-0x0000000008787000-memory.dmp

Filesize
28KB

Download
memory/3516-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-4-0x00000000087A0000-0x00000000087A1000-memory.dmp

Filesize
4KB

Download
memory/3516-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-26-0x00007FFDF0EBA000-0x00007FFDF0EBB000-memory.dmp

Filesize
4KB

Download
memory/3516-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-28-0x00007FFDF2DF0000-0x00007FFDF2E00000-memory.dmp

Filesize
64KB

Download
memory/3516-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3516-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3936-0-0x0000026F3C4E0000-0x0000026F3C4E7000-memory.dmp

Filesize
28KB

Download
memory/3936-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3936-2-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4120-75-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4120-69-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4120-72-0x000002EF55110000-0x000002EF55117000-memory.dmp

Filesize
28KB

Download