dridex | b0b20b7a4671e450e009be0837c965d13511fb3a19df8f0d9d2fa47be720b1b6

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80184eee522c0774f344f21d1b042fde_JaffaCakes118.dll
Size

988KB
MD5

80184eee522c0774f344f21d1b042fde
SHA1

729c582affc7f092ecde4843fefea5c9b8ef0eda
SHA256

b0b20b7a4671e450e009be0837c965d13511fb3a19df8f0d9d2fa47be720b1b6
SHA512

5d47bfb61235e2f0950903b8ab776e106a2a077ed582749edfff9705b1da73104dba72a5f1a668689b2bc15f1c2b2e72de441ed6a7afda43e8bd5d6230ddba55
SSDEEP

24576:+VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:+V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1180-5-0x0000000002E90000-0x0000000002E91000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

recdisc.exeMpSigStub.exeBitLockerWizardElev.exe

pid process

2728 recdisc.exe
860 MpSigStub.exe
1568 BitLockerWizardElev.exe
Loads dropped DLL 7 IoCs

Processes:

recdisc.exeMpSigStub.exeBitLockerWizardElev.exe

pid process

1180
2728 recdisc.exe
1180
860 MpSigStub.exe
1180
1568 BitLockerWizardElev.exe
1180

resource	yara_rule
behavioral1/memory/1180-5-0x0000000002E90000-0x0000000002E91000-memory.dmp	dridex_stager_shellcode

pid	process
2728	recdisc.exe
860	MpSigStub.exe
1568	BitLockerWizardElev.exe

pid	process
1180
2728	recdisc.exe
1180
860	MpSigStub.exe
1180
1568	BitLockerWizardElev.exe
1180

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\ASVHCOTpk\\MpSigStub.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerecdisc.exeMpSigStub.exeBitLockerWizardElev.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2988	rundll32.exe
2988	rundll32.exe
2988	rundll32.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1180 wrote to memory of 2628	1180	recdisc.exe
PID 1180 wrote to memory of 2628	1180	recdisc.exe
PID 1180 wrote to memory of 2628	1180	recdisc.exe
PID 1180 wrote to memory of 2728	1180	recdisc.exe
PID 1180 wrote to memory of 2728	1180	recdisc.exe
PID 1180 wrote to memory of 2728	1180	recdisc.exe
PID 1180 wrote to memory of 1596	1180	MpSigStub.exe
PID 1180 wrote to memory of 1596	1180	MpSigStub.exe
PID 1180 wrote to memory of 1596	1180	MpSigStub.exe
PID 1180 wrote to memory of 860	1180	MpSigStub.exe
PID 1180 wrote to memory of 860	1180	MpSigStub.exe
PID 1180 wrote to memory of 860	1180	MpSigStub.exe
PID 1180 wrote to memory of 2772	1180	BitLockerWizardElev.exe
PID 1180 wrote to memory of 2772	1180	BitLockerWizardElev.exe
PID 1180 wrote to memory of 2772	1180	BitLockerWizardElev.exe
PID 1180 wrote to memory of 1568	1180	BitLockerWizardElev.exe
PID 1180 wrote to memory of 1568	1180	BitLockerWizardElev.exe
PID 1180 wrote to memory of 1568	1180	BitLockerWizardElev.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80184eee522c0774f344f21d1b042fde_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:2628

C:\Users\Admin\AppData\Local\HGAW3\recdisc.exe
C:\Users\Admin\AppData\Local\HGAW3\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2728

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:1596

C:\Users\Admin\AppData\Local\gtw\MpSigStub.exe
C:\Users\Admin\AppData\Local\gtw\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:860

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2772

C:\Users\Admin\AppData\Local\kmzISWfq7\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\kmzISWfq7\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1568

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HGAW3\SPP.dll
Filesize
989KB

MD5
34f6268b3390fef129d67e1822853387

SHA1
0cf857248436cf7bd81b3ea93b85b18c7083e040

SHA256
d42f6e147abc6d796230ccc8faaf006d3a1c15777f8465a65fbf478b56389f61

SHA512
2eadd42c09eb0142da3d5691277e6328d6d38bb040eb8644fa98839cf2b0d602f9c0d2c28b65dac0481607bc149f6aadba71ea2a4d234ba7c4239427b2fb4faf

Download Submit
C:\Users\Admin\AppData\Local\gtw\VERSION.dll
Filesize
989KB

MD5
dcd5db92dbff5e2685077c333ea85539

SHA1
4730c827b9efe186f6dd8b3e981356f2a372cccf

SHA256
94208399048ac01ea205578dc4fd5e10092603669651b41e18c050dc45ff8b6f

SHA512
32c829f9419fdc3aee98a35c89a7b0066a9eda7cd6c490ea3c5e36c877c61d3fd5536d7cb1612ded0a1c7147d87ab4c7f61ee7660e705f5ea0876927ee5eb049

Download Submit
C:\Users\Admin\AppData\Local\kmzISWfq7\FVEWIZ.dll
Filesize
990KB

MD5
4b9345f2f3443107773dd45baef691b8

SHA1
a6fc2d6ee67ca9f65113c4d6061b82d9db646d2c

SHA256
4ae3b93afbacecb534ec252e4b5bd3908f0da410bfe0f6459bc4c3eaab1c9971

SHA512
f7b4797d7fdc34006c9d5e05f2fa5e18def2ae64a005513643de3cdf70d29120b7cb44aeab039edf57669b0d646ba1a1204e3da22bf2dc22c833dde3759ddec5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
Filesize
1KB

MD5
9246be8c323830a1e3349aa727472b31

SHA1
83e24a32600fbe60e5b42a6639bac43f61db753b

SHA256
2a855e1dbc631095c96f48fd49d52f2ed16478206bf22778c14ac7c2c3be4a34

SHA512
01c119b98d52d3cba4f25713c1f51e3d4a8b3319d778fb28bde71b7c26fdb921235d54a376da7f3fddb74d15dfb732585d392fbe0ec5a32fc39cbf090cfcfdf8

Download Submit
\Users\Admin\AppData\Local\HGAW3\recdisc.exe
Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
\Users\Admin\AppData\Local\gtw\MpSigStub.exe
Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\kmzISWfq7\BitLockerWizardElev.exe
Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
memory/860-76-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/860-73-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1180-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-17-0x0000000002E70000-0x0000000002E77000-memory.dmp

Filesize
28KB

Download
memory/1180-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-24-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-25-0x0000000077981000-0x0000000077982000-memory.dmp

Filesize
4KB

Download
memory/1180-26-0x0000000077B10000-0x0000000077B12000-memory.dmp

Filesize
8KB

Download
memory/1180-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-4-0x0000000077776000-0x0000000077777000-memory.dmp

Filesize
4KB

Download
memory/1180-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-5-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1180-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1180-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1568-91-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1568-94-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2728-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2728-55-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2728-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2988-0-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2988-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2988-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads