dridex | 6aafd2dd448fa8e982695f250298f2e9c0927d4d90f80c57e6d57d69abed9a14

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aafd2dd448fa8e982695f250298f2e9c0927d4d90f80c57e6d57d69abed9a14.dll
Size

965KB
MD5

8c626b0730876bc39bfad224fb742d3f
SHA1

b998aa15b53814de5407c2048440786dbcecd572
SHA256

6aafd2dd448fa8e982695f250298f2e9c0927d4d90f80c57e6d57d69abed9a14
SHA512

4ec780d3061245e18cb36268df014325142c9894ce59e33fcd9a87605afcfb872aa0aa53f09a76a2152004d7a0a20ab3e3438b952756c1bf4004b3b442082092

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1296-59-0x0000000002230000-0x0000000002231000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sdclt.exeSndVol.exesigverif.exe

pid process

856 sdclt.exe
1580 SndVol.exe
1916 sigverif.exe
Loads dropped DLL 7 IoCs

Processes:

sdclt.exeSndVol.exesigverif.exe

pid process

1296
856 sdclt.exe
1296
1580 SndVol.exe
1296
1916 sigverif.exe
1296

pid	process
856	sdclt.exe
1580	SndVol.exe
1916	sigverif.exe

pid	process
1296
856	sdclt.exe
1296
1580	SndVol.exe
1296
1916	sigverif.exe
1296

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\iRVuk\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesdclt.exeSndVol.exesigverif.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1296 wrote to memory of 524	1296	sdclt.exe
PID 1296 wrote to memory of 524	1296	sdclt.exe
PID 1296 wrote to memory of 524	1296	sdclt.exe
PID 1296 wrote to memory of 856	1296	sdclt.exe
PID 1296 wrote to memory of 856	1296	sdclt.exe
PID 1296 wrote to memory of 856	1296	sdclt.exe
PID 1296 wrote to memory of 1288	1296	SndVol.exe
PID 1296 wrote to memory of 1288	1296	SndVol.exe
PID 1296 wrote to memory of 1288	1296	SndVol.exe
PID 1296 wrote to memory of 1580	1296	SndVol.exe
PID 1296 wrote to memory of 1580	1296	SndVol.exe
PID 1296 wrote to memory of 1580	1296	SndVol.exe
PID 1296 wrote to memory of 2004	1296	sigverif.exe
PID 1296 wrote to memory of 2004	1296	sigverif.exe
PID 1296 wrote to memory of 2004	1296	sigverif.exe
PID 1296 wrote to memory of 1916	1296	sigverif.exe
PID 1296 wrote to memory of 1916	1296	sigverif.exe
PID 1296 wrote to memory of 1916	1296	sigverif.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aafd2dd448fa8e982695f250298f2e9c0927d4d90f80c57e6d57d69abed9a14.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:524

C:\Users\Admin\AppData\Local\Sz5reiw\sdclt.exe
C:\Users\Admin\AppData\Local\Sz5reiw\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:856

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:1288

C:\Users\Admin\AppData\Local\hKK\SndVol.exe
C:\Users\Admin\AppData\Local\hKK\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1580

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:2004

C:\Users\Admin\AppData\Local\HE7\sigverif.exe
C:\Users\Admin\AppData\Local\HE7\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1916

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HE7\VERSION.dll
Filesize
965KB

MD5
e6b6b16d3d30612d753be242587cd561

SHA1
261c8782f8079d7ecacc9ecb221f45496ce0596e

SHA256
7e5a92d08138df7cc0c875529d4d6172e099838e825518a20906a631e9272dbb

SHA512
1517d522f83d2edffaf06a5f5acf89c98751795c08a89edd52724c1ae219bd8919e970d5869c83d28d26c1322f33d581a701ff1d43879ba179d93cd87cce3d7c

Download Submit
C:\Users\Admin\AppData\Local\HE7\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
C:\Users\Admin\AppData\Local\Sz5reiw\SPP.dll
Filesize
965KB

MD5
f012bb0e416da2c4f014890e7fe1001d

SHA1
a44483ec2597968005abb729204b1d9d75a631f6

SHA256
ec419795ef59bcf6795e44435320875c1df771a05468c79ec3292fd391dd434c

SHA512
19be54164011aaa9ad3fcbe86bae2c3996ce4199b183b406e4b63d8609a07ba13c4ad87862972bf3f033b023d4c325e610085678f13dd8e7d14963e752dcd93e

Download Submit
C:\Users\Admin\AppData\Local\Sz5reiw\sdclt.exe
Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
C:\Users\Admin\AppData\Local\hKK\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\hKK\UxTheme.dll
Filesize
967KB

MD5
da9f115780659ea31b3c4cbd3609a3be

SHA1
91e0e7f6cfcf31b797f9823dc2e4c1cc20e49124

SHA256
1114cd103f79025421a2f7da5b17ce14e7e4e5dc2385f66ddad28bcb8f6c816c

SHA512
6589ad0f4651cfcd7f6d376e847f848e568e947895113a466207cf83da735efd216c211c7c314e04d35b452991d1b4998507f03ac066aa45d3bf436adde22cc3

Download Submit
\Users\Admin\AppData\Local\HE7\VERSION.dll
Filesize
965KB

MD5
e6b6b16d3d30612d753be242587cd561

SHA1
261c8782f8079d7ecacc9ecb221f45496ce0596e

SHA256
7e5a92d08138df7cc0c875529d4d6172e099838e825518a20906a631e9272dbb

SHA512
1517d522f83d2edffaf06a5f5acf89c98751795c08a89edd52724c1ae219bd8919e970d5869c83d28d26c1322f33d581a701ff1d43879ba179d93cd87cce3d7c

Download Submit
\Users\Admin\AppData\Local\HE7\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\Sz5reiw\SPP.dll
Filesize
965KB

MD5
f012bb0e416da2c4f014890e7fe1001d

SHA1
a44483ec2597968005abb729204b1d9d75a631f6

SHA256
ec419795ef59bcf6795e44435320875c1df771a05468c79ec3292fd391dd434c

SHA512
19be54164011aaa9ad3fcbe86bae2c3996ce4199b183b406e4b63d8609a07ba13c4ad87862972bf3f033b023d4c325e610085678f13dd8e7d14963e752dcd93e

Download Submit
\Users\Admin\AppData\Local\Sz5reiw\sdclt.exe
Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Local\hKK\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\hKK\UxTheme.dll
Filesize
967KB

MD5
da9f115780659ea31b3c4cbd3609a3be

SHA1
91e0e7f6cfcf31b797f9823dc2e4c1cc20e49124

SHA256
1114cd103f79025421a2f7da5b17ce14e7e4e5dc2385f66ddad28bcb8f6c816c

SHA512
6589ad0f4651cfcd7f6d376e847f848e568e947895113a466207cf83da735efd216c211c7c314e04d35b452991d1b4998507f03ac066aa45d3bf436adde22cc3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\m7D\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
memory/856-83-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/856-86-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/856-90-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/856-81-0x0000000000000000-mapping.dmp

Download
memory/1296-64-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-67-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-61-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-68-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-60-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-78-0x0000000002210000-0x0000000002217000-memory.dmp

Filesize
28KB

Download
memory/1296-69-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-59-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1296-66-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-62-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-65-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-63-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1296-79-0x0000000077750000-0x0000000077752000-memory.dmp

Filesize
8KB

Download
memory/1312-54-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1312-58-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1580-101-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1580-92-0x0000000000000000-mapping.dmp

Download
memory/1916-103-0x0000000000000000-mapping.dmp

Download
memory/1916-112-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads