dridex | b0b20b7a4671e450e009be0837c965d13511fb3a19df8f0d9d2fa47be720b1b6

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80184eee522c0774f344f21d1b042fde_JaffaCakes118.dll
Size

988KB
MD5

80184eee522c0774f344f21d1b042fde
SHA1

729c582affc7f092ecde4843fefea5c9b8ef0eda
SHA256

b0b20b7a4671e450e009be0837c965d13511fb3a19df8f0d9d2fa47be720b1b6
SHA512

5d47bfb61235e2f0950903b8ab776e106a2a077ed582749edfff9705b1da73104dba72a5f1a668689b2bc15f1c2b2e72de441ed6a7afda43e8bd5d6230ddba55
SSDEEP

24576:+VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:+V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3536-4-0x00000000034C0000-0x00000000034C1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.exetcmsetup.exerdpinput.exe

pid process

5024 SystemPropertiesRemote.exe
1644 tcmsetup.exe
1052 rdpinput.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesRemote.exetcmsetup.exerdpinput.exe

pid process

5024 SystemPropertiesRemote.exe
1644 tcmsetup.exe
1052 rdpinput.exe

resource	yara_rule
behavioral2/memory/3536-4-0x00000000034C0000-0x00000000034C1000-memory.dmp	dridex_stager_shellcode

pid	process
5024	SystemPropertiesRemote.exe
1644	tcmsetup.exe
1052	rdpinput.exe

pid	process
5024	SystemPropertiesRemote.exe
1644	tcmsetup.exe
1052	rdpinput.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iwctvdcrnln = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\6CTPfSE5O\\tcmsetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesRemote.exetcmsetup.exerdpinput.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3536

pid	process
3536

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3536 wrote to memory of 2848	3536	SystemPropertiesRemote.exe
PID 3536 wrote to memory of 2848	3536	SystemPropertiesRemote.exe
PID 3536 wrote to memory of 5024	3536	SystemPropertiesRemote.exe
PID 3536 wrote to memory of 5024	3536	SystemPropertiesRemote.exe
PID 3536 wrote to memory of 1936	3536	tcmsetup.exe
PID 3536 wrote to memory of 1936	3536	tcmsetup.exe
PID 3536 wrote to memory of 1644	3536	tcmsetup.exe
PID 3536 wrote to memory of 1644	3536	tcmsetup.exe
PID 3536 wrote to memory of 4744	3536	rdpinput.exe
PID 3536 wrote to memory of 4744	3536	rdpinput.exe
PID 3536 wrote to memory of 1052	3536	rdpinput.exe
PID 3536 wrote to memory of 1052	3536	rdpinput.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80184eee522c0774f344f21d1b042fde_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2564

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2848

C:\Users\Admin\AppData\Local\T6Hxgyh\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\T6Hxgyh\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5024

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:1936

C:\Users\Admin\AppData\Local\Wtrx0v\tcmsetup.exe
C:\Users\Admin\AppData\Local\Wtrx0v\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1644

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:4744

C:\Users\Admin\AppData\Local\0AtXK4q\rdpinput.exe
C:\Users\Admin\AppData\Local\0AtXK4q\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0AtXK4q\WTSAPI32.dll
Filesize
991KB

MD5
bc8d9d5da8e79f9ac16c1ad6f3b6b662

SHA1
a410460152c27c9a98f82f387b4746fc7b8a01f2

SHA256
95636cfba91b193876eda1452b9fe3599cc96ce1790aca377908eba054ba24fe

SHA512
8dfe39d8fd882dcbe06b8a650c1996b64beaccee8f45fde8d2fd7b8b3dfc27cc4c079f4f501abfc4dca3df94d500f200f0d10d1afa59745a8f021f52535109dc

Download Submit
C:\Users\Admin\AppData\Local\0AtXK4q\rdpinput.exe
Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Local\T6Hxgyh\SYSDM.CPL
Filesize
989KB

MD5
242e3393833e60cd278cfe46a50215a3

SHA1
b7da9af62007e7e1917e22454decd75b965e121d

SHA256
0925768b9f7c5b55b4016ca5f4e42fde10b4d6c1473939d754ce322c61e55989

SHA512
61ac830c68a45d81ea922707a50978f15c2623e091ce858efb434037c974ecc70b0345223f2b53698651cb70dd4ccccfc36900e84eaf00023cc95d08c316479a

Download Submit
C:\Users\Admin\AppData\Local\T6Hxgyh\SystemPropertiesRemote.exe
Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Local\Wtrx0v\TAPI32.dll
Filesize
996KB

MD5
f44ece21c736a9cb3ce51e03296b5dc3

SHA1
e798ab8591e715b5fee0707cb08daecb0d0c1238

SHA256
bb3f6a795fde43dd60210ce02bc52094609bbdd96f15dd1413721b21bdbae9b4

SHA512
7f67ccc6924aecb958ff4b3d38dd3771cbab45cd2711c32983ffe2972977dca0dcd99d0500bfa45d2a2a9c1fc4f723e5f10ac68c62d2ca524eeaa9e94b168107

Download Submit
C:\Users\Admin\AppData\Local\Wtrx0v\tcmsetup.exe
Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Puokv.lnk
Filesize
1KB

MD5
df0b674762ffcf89784057fb8c447f8b

SHA1
9dc7dc63a93af4718efa036ee1fe0829ecec91bc

SHA256
d82627d5f5231d26bd754981ee65d42f544b705d88e694b352fff296ead4617a

SHA512
f8812e70d0320c648cf1ac08c4a2740fe8c9596905a136ffb2862ab3de3415cee0d8d095353b7dfb6a4badb291335e6a1fa05ea8cf246f5e6b3c69cf924f3cbd

Download Submit
memory/1052-83-0x00000229280E0000-0x00000229280E7000-memory.dmp

Filesize
28KB

Download
memory/1052-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1644-67-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1644-62-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1644-61-0x000001ACB9BD0000-0x000001ACB9BD7000-memory.dmp

Filesize
28KB

Download
memory/2564-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2564-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2564-0-0x000001BBB3B40000-0x000001BBB3B47000-memory.dmp

Filesize
28KB

Download
memory/3536-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-4-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/3536-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-30-0x00007FFFBBC5A000-0x00007FFFBBC5B000-memory.dmp

Filesize
4KB

Download
memory/3536-31-0x00000000014C0000-0x00000000014C7000-memory.dmp

Filesize
28KB

Download
memory/3536-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-32-0x00007FFFBDAD0000-0x00007FFFBDAE0000-memory.dmp

Filesize
64KB

Download
memory/3536-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3536-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/5024-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/5024-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/5024-47-0x0000018D9C500000-0x0000018D9C507000-memory.dmp

Filesize
28KB

Download