dridex | 7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530

Target

93394d6e_by_Libranalysis.dll
Size

588KB
MD5

93394d6e0ea894922267955095fabbc9
SHA1

38ac582b64fb09f212aceddf5e3cc13946c69985
SHA256

7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
SHA512

aceecbcccd6fe48586d695b0ef04d7d0b998069dbb6545dc9ca96045f896281663027cf048ce2d0f27d0e2990f03c1f592322bfa9bc9776f153d07c6993cc8e7

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/3992-114-0x0000000140000000-0x000000014009D000-memory.dmp	dridex_payload
behavioral2/memory/3776-139-0x0000000140000000-0x000000014009E000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3036-120-0x0000000000660000-0x0000000000661000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3776	sppsvc.exe
3296	SppExtComObj.Exe
1160	CloudNotifications.exe

Loads dropped DLL 3 IoCs

pid	Process
3776	sppsvc.exe
3296	SppExtComObj.Exe
1160	CloudNotifications.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jngmlmox = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3686645723-710336880-414668232-1000\\Yv\\SppExtComObj.Exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3992	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3036	Process not Found
Token: SeCreatePagefilePrivilege	3036	Process not Found
Token: SeShutdownPrivilege	3036	Process not Found
Token: SeCreatePagefilePrivilege	3036	Process not Found
Token: SeShutdownPrivilege	3036	Process not Found
Token: SeCreatePagefilePrivilege	3036	Process not Found
Token: SeShutdownPrivilege	3036	Process not Found
Token: SeCreatePagefilePrivilege	3036	Process not Found

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found
3036	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3036	Process not Found

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3776	3036	Process not Found	80
PID 3036 wrote to memory of 3776	3036	Process not Found	80
PID 3036 wrote to memory of 3464	3036	Process not Found	81
PID 3036 wrote to memory of 3464	3036	Process not Found	81
PID 3036 wrote to memory of 3296	3036	Process not Found	82
PID 3036 wrote to memory of 3296	3036	Process not Found	82
PID 3036 wrote to memory of 1360	3036	Process not Found	83
PID 3036 wrote to memory of 1360	3036	Process not Found	83
PID 3036 wrote to memory of 1160	3036	Process not Found	84
PID 3036 wrote to memory of 1160	3036	Process not Found	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\93394d6e_by_Libranalysis.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3992

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1516

C:\Users\Admin\AppData\Local\aGi7FNo3\sppsvc.exe
C:\Users\Admin\AppData\Local\aGi7FNo3\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3776

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:3464

C:\Users\Admin\AppData\Local\ehxOzmz\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\ehxOzmz\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3296

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Qr1qP\CloudNotifications.exe
C:\Users\Admin\AppData\Local\Qr1qP\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-120-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3036-122-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3036-123-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3036-133-0x00007FFE0A3D4320-0x00007FFE0A3D5320-memory.dmp

Filesize
4KB

Download
memory/3036-121-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3036-124-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3776-139-0x0000000140000000-0x000000014009E000-memory.dmp

Filesize
632KB

Download
memory/3992-114-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3992-119-0x000001B5A9910000-0x000001B5A9917000-memory.dmp

Filesize
28KB

Download