dridex | 6e595a15eb50e2fc6c4d76554b992ab4a81be446c4b8b450e84ed308f7dcf341

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba78189a1e1389cdcf5478ec3ec0f8c2_JaffaCakes118.dll
Size

1.2MB
MD5

ba78189a1e1389cdcf5478ec3ec0f8c2
SHA1

0b5278a45fb91bddbc33841fcdd4074bda3377f2
SHA256

6e595a15eb50e2fc6c4d76554b992ab4a81be446c4b8b450e84ed308f7dcf341
SHA512

f59f0409426fad48a60cfed2cdd33d523699f7c23fb4dfb1dccc5525a7c5be2dacb5c612debb73a2d0af69748fe78f2276c5653feb7b655e794205af11ec692d
SSDEEP

24576:5VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:5V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3432-4-0x0000000002B60000-0x0000000002B61000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 4 IoCs

Processes:

ie4uinit.exerdpinput.exeEaseOfAccessDialog.exeSystemPropertiesHardware.exe

pid process

908 ie4uinit.exe
4340 rdpinput.exe
2448 EaseOfAccessDialog.exe
5072 SystemPropertiesHardware.exe
Loads dropped DLL 6 IoCs

Processes:

ie4uinit.exerdpinput.exeEaseOfAccessDialog.exeSystemPropertiesHardware.exe

pid process

908 ie4uinit.exe
908 ie4uinit.exe
908 ie4uinit.exe
4340 rdpinput.exe
2448 EaseOfAccessDialog.exe
5072 SystemPropertiesHardware.exe

resource	yara_rule
behavioral2/memory/3432-4-0x0000000002B60000-0x0000000002B61000-memory.dmp	dridex_stager_shellcode

pid	process
908	ie4uinit.exe
4340	rdpinput.exe
2448	EaseOfAccessDialog.exe
5072	SystemPropertiesHardware.exe

pid	process
908	ie4uinit.exe
908	ie4uinit.exe
908	ie4uinit.exe
4340	rdpinput.exe
2448	EaseOfAccessDialog.exe
5072	SystemPropertiesHardware.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Esxju = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\m3\\EASEOF~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinput.exeEaseOfAccessDialog.exeSystemPropertiesHardware.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1264	rundll32.exe
1264	rundll32.exe
1264	rundll32.exe
1264	rundll32.exe
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3432
3432
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3432

pid	process
3432
3432

pid	process
3432

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3432 wrote to memory of 1844	3432	ie4uinit.exe
PID 3432 wrote to memory of 1844	3432	ie4uinit.exe
PID 3432 wrote to memory of 908	3432	ie4uinit.exe
PID 3432 wrote to memory of 908	3432	ie4uinit.exe
PID 3432 wrote to memory of 4040	3432	rdpinput.exe
PID 3432 wrote to memory of 4040	3432	rdpinput.exe
PID 3432 wrote to memory of 4340	3432	rdpinput.exe
PID 3432 wrote to memory of 4340	3432	rdpinput.exe
PID 3432 wrote to memory of 1624	3432	EaseOfAccessDialog.exe
PID 3432 wrote to memory of 1624	3432	EaseOfAccessDialog.exe
PID 3432 wrote to memory of 2448	3432	EaseOfAccessDialog.exe
PID 3432 wrote to memory of 2448	3432	EaseOfAccessDialog.exe
PID 3432 wrote to memory of 1176	3432	SystemPropertiesHardware.exe
PID 3432 wrote to memory of 1176	3432	SystemPropertiesHardware.exe
PID 3432 wrote to memory of 5072	3432	SystemPropertiesHardware.exe
PID 3432 wrote to memory of 5072	3432	SystemPropertiesHardware.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba78189a1e1389cdcf5478ec3ec0f8c2_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
1⤵
PID:684

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:1844

C:\Users\Admin\AppData\Local\8bGkfhoy8\ie4uinit.exe
C:\Users\Admin\AppData\Local\8bGkfhoy8\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:4040

C:\Users\Admin\AppData\Local\MtPi\rdpinput.exe
C:\Users\Admin\AppData\Local\MtPi\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4340

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:1624

C:\Users\Admin\AppData\Local\c0UR\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\c0UR\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2448

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1176

C:\Users\Admin\AppData\Local\5JXNzHbcV\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\5JXNzHbcV\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5JXNzHbcV\SYSDM.CPL
Filesize
1.2MB

MD5
737b74ce5f28dd426670d0b9b6d5304b

SHA1
836396925761e0dc809a0f70a3350844631a0b78

SHA256
30d4247f62b9aaa30430e889edf6699b3d47909173ab8fd20ff3fdcb9ff5a327

SHA512
9b5d2b5920e8ec41443e7ffd24c2ee22c4d66c03ca0038682a35448d70f936927a04a25ec0ab0960ad624644e2eb708dfcaa020989a354f86731dd80e1fd9de9

Download Submit
C:\Users\Admin\AppData\Local\5JXNzHbcV\SystemPropertiesHardware.exe
Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Local\8bGkfhoy8\VERSION.dll
Filesize
1.2MB

MD5
cd8f69f3750f75925042d24077fc4fc7

SHA1
dd9377a5be050b3cae2d5a37666fc517f03bb35e

SHA256
ff756caf7f6592f8f8f1c77a6e7010e3efe69e21ae3d467b7ae2ec9fc2e4a6f8

SHA512
b249e89e7badda86c8588dbb860181f65d678b420688c8dba742051b3b1eba5eace18a66444b079903e943810534bac121123c9fc429e0ec2d887275ae8378fe

Download Submit
C:\Users\Admin\AppData\Local\8bGkfhoy8\ie4uinit.exe
Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Local\MtPi\WTSAPI32.dll
Filesize
1.2MB

MD5
9ba5765494b78811bddb97bc8c486ee5

SHA1
22477c11f21672f68fed3975e7070827360eac6b

SHA256
309cd0840ddaa4f4423fc816619a7de056871618240602467e69c9843dad2b28

SHA512
a0d7313ccab8550350dd145e0b2f363dced3059df730249e923c8a2ee54870b695f941e45551c9ee768d5ddd3e01e009cf5d558954e34ac23cd97fb825d8a6ef

Download Submit
C:\Users\Admin\AppData\Local\MtPi\rdpinput.exe
Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Local\c0UR\EaseOfAccessDialog.exe
Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\c0UR\OLEACC.dll
Filesize
1.2MB

MD5
7067f42c4c8381e66619565fe95f8bb9

SHA1
480160c834c7570c897df7b831f6db1d1f6bf803

SHA256
9a2e29eb2d5d5c3787e87f2f9a6011e71eabd2cb5a47177aeb00197f1db8e39c

SHA512
3537c227321f1f860e1f0520d7d843d0a6217d7f590f27d1f67acfd189de3a8d902934046bc0401be9bc3dcc6d1ce9ac22aedfcd6382f51ed18f9446422e9ea2

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnk
Filesize
1KB

MD5
dc342f35a0b79a752b5fe8570af4ca53

SHA1
8a0ac8e874e7e8f2c5cbc9e1b77e63b65c6edc00

SHA256
1f4273a292c9dd916794ed1938a21e22feed6cec9879dd39eb233a49f5e8324c

SHA512
67d2bad5f814ed05132d08d6fb15651bb0a02e7b27349134ce3658f07bacf367edc892c561591bc3df8fd59acba99122438cf318b8b0d0e248d735c7928bc55a

Download Submit
memory/1264-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1264-3-0x0000026DEAE40000-0x0000026DEAE47000-memory.dmp

Filesize
28KB

Download
memory/1264-38-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2448-77-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3432-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-35-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-32-0x00007FFC2362A000-0x00007FFC2362B000-memory.dmp

Filesize
4KB

Download
memory/3432-33-0x0000000002A20000-0x0000000002A27000-memory.dmp

Filesize
28KB

Download
memory/3432-4-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/3432-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-34-0x00007FFC24F50000-0x00007FFC24F60000-memory.dmp

Filesize
64KB

Download
memory/3432-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3432-23-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4340-61-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4340-56-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4340-55-0x00000270AB490000-0x00000270AB497000-memory.dmp

Filesize
28KB

Download
memory/5072-93-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download