dridex | a207eff9085223b41efa50e8c5212159b2f546e2ca348cbecb014a29460b3cbd

General

Target

a207eff9085223b41efa50e8c5212159b2f546e2ca348cbecb014a29460b3cbd.dll
Size

848KB
MD5

981cdedd76e4b8ca77fd40a4caf72463
SHA1

10570f977b5af392293fbc3f9d7174ada4f5ad20
SHA256

a207eff9085223b41efa50e8c5212159b2f546e2ca348cbecb014a29460b3cbd
SHA512

2ee0cc26858ca7ef05c6ce087a404875d8199b0c8454ea22cad301d9aad6e7bc9cc1e3996538cb5ce731ae7541cc4c7efa781342bf79567e1210626957881dc9
SSDEEP

12288:rZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:rZK6F7nVeRmDFJivohZFV

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3420-4-0x0000000002A30000-0x0000000002A31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msinfo32.exeApplySettingsTemplateCatalog.exeCloudNotifications.exe

pid process

3548 msinfo32.exe
4792 ApplySettingsTemplateCatalog.exe
2316 CloudNotifications.exe
Loads dropped DLL 3 IoCs

Processes:

msinfo32.exeApplySettingsTemplateCatalog.exeCloudNotifications.exe

pid process

3548 msinfo32.exe
4792 ApplySettingsTemplateCatalog.exe
2316 CloudNotifications.exe

pid	process
3548	msinfo32.exe
4792	ApplySettingsTemplateCatalog.exe
2316	CloudNotifications.exe

pid	process
3548	msinfo32.exe
4792	ApplySettingsTemplateCatalog.exe
2316	CloudNotifications.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ftmqvfjd = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\GL4\\ApplySettingsTemplateCatalog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsinfo32.exeApplySettingsTemplateCatalog.exeCloudNotifications.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3420

pid	process
3420

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3420 wrote to memory of 888	3420	msinfo32.exe
PID 3420 wrote to memory of 888	3420	msinfo32.exe
PID 3420 wrote to memory of 3548	3420	msinfo32.exe
PID 3420 wrote to memory of 3548	3420	msinfo32.exe
PID 3420 wrote to memory of 4164	3420	ApplySettingsTemplateCatalog.exe
PID 3420 wrote to memory of 4164	3420	ApplySettingsTemplateCatalog.exe
PID 3420 wrote to memory of 4792	3420	ApplySettingsTemplateCatalog.exe
PID 3420 wrote to memory of 4792	3420	ApplySettingsTemplateCatalog.exe
PID 3420 wrote to memory of 4056	3420	CloudNotifications.exe
PID 3420 wrote to memory of 4056	3420	CloudNotifications.exe
PID 3420 wrote to memory of 2316	3420	CloudNotifications.exe
PID 3420 wrote to memory of 2316	3420	CloudNotifications.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a207eff9085223b41efa50e8c5212159b2f546e2ca348cbecb014a29460b3cbd.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:888

C:\Users\Admin\AppData\Local\RskRH0k7\msinfo32.exe
C:\Users\Admin\AppData\Local\RskRH0k7\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3548

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:4164

C:\Users\Admin\AppData\Local\b9ABcuF\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\b9ABcuF\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4792

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:4056

C:\Users\Admin\AppData\Local\PaWrD\CloudNotifications.exe
C:\Users\Admin\AppData\Local\PaWrD\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PaWrD\CloudNotifications.exe
Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\PaWrD\UxTheme.dll
Filesize
852KB

MD5
a1d969f1c54147fad451be6e2e626dec

SHA1
ef8954eb4f27b3a807e811ead9be2797b7fbcef5

SHA256
9f3d9d1a9efcdf89abab081b12c1a6eb2be709a7f20ec713aa811fac1a9b2135

SHA512
bf50a5f1686fd8a92c64a7c90bfba87b7ee39a6f24412a07cc46fdb946a99c37e2b2c229a02024f74d1df2506cac32e342fbde8937ad286db868bd6040f2f63e

Download Submit
C:\Users\Admin\AppData\Local\RskRH0k7\MFC42u.dll
Filesize
876KB

MD5
607dbceeccde5e976fd70b0271ae2a5b

SHA1
2698778470245c66099d1c60695a7403e62a7973

SHA256
66b58df6c8c0636aa563713eaddc44834bcb7045666d939b2767193263585adc

SHA512
608c4e067ece2e5644ee144f99dbfcfedf638d8037c3788c122146f9dd309d61c56d8d947661ce65286785a8cacf56ad4483d28c9858e9239b01dfbc8666cd7f

Download Submit
C:\Users\Admin\AppData\Local\RskRH0k7\msinfo32.exe
Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\b9ABcuF\ACTIVEDS.dll
Filesize
852KB

MD5
999a0c580aa5f2213afcd39e9023cd15

SHA1
34ae15447d453ed491d2e872686fce8a034a1240

SHA256
9ba430ca8d94165f017c9aa258eff7135005f3ba757d55a451c5c4a1a711479a

SHA512
db10b8acc4cb3e259806389e60a3e507e3ef5e2c97ad8852d69bdef56753cfb93afecd55ad247c0f0ac6452bc4c4e43023bd1bee1e9cd39e23d81d86eaa6313c

Download Submit
C:\Users\Admin\AppData\Local\b9ABcuF\ApplySettingsTemplateCatalog.exe
Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Quwsixejg.lnk
Filesize
1KB

MD5
076261a0066a56956c210b8ef7cde606

SHA1
549cb6ca7ac76aca557f9fdafb77ad83b679e92b

SHA256
3db0950968d5a2b503b7fcf8005ae1596b648eae41bb18b5ab6a00f6da5173c6

SHA512
c79251416590d3dcfc761fae40e3e37cc8b0b32c5c7a3f4d4e6d021d84f8b9ea7a28b14604d0fd4dbe61ad3fb007aebfd23858e237363b4e72f9a0b18fa5d4ea

Download Submit
memory/1492-0-0x00000225D4DE0000-0x00000225D4DE7000-memory.dmp

Filesize
28KB

Download
memory/1492-1-0x00007FFCD4E70000-0x00007FFCD4F44000-memory.dmp

Filesize
848KB

Download
memory/1492-8-0x00007FFCD4E70000-0x00007FFCD4F44000-memory.dmp

Filesize
848KB

Download
memory/2316-95-0x00007FFCD4E70000-0x00007FFCD4F45000-memory.dmp

Filesize
852KB

Download
memory/2316-90-0x000001AB8B920000-0x000001AB8B927000-memory.dmp

Filesize
28KB

Download
memory/3420-25-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-46-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-17-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-18-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-19-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-20-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-21-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-22-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-23-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-24-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-15-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-26-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-28-0x00000000028A0000-0x00000000028A7000-memory.dmp

Filesize
28KB

Download
memory/3420-27-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-34-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-35-0x00007FFCE2CC0000-0x00007FFCE2CD0000-memory.dmp

Filesize
64KB

Download
memory/3420-44-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-16-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-14-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-13-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-5-0x00007FFCE0DEA000-0x00007FFCE0DEB000-memory.dmp

Filesize
4KB

Download
memory/3420-4-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3420-9-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-12-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-11-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-10-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3420-7-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3548-61-0x00007FFCD4E70000-0x00007FFCD4F4B000-memory.dmp

Filesize
876KB

Download
memory/3548-55-0x00007FFCD4E70000-0x00007FFCD4F4B000-memory.dmp

Filesize
876KB

Download
memory/3548-56-0x000001FA19EF0000-0x000001FA19EF7000-memory.dmp

Filesize
28KB

Download
memory/4792-78-0x00007FFCD4E70000-0x00007FFCD4F45000-memory.dmp

Filesize
852KB

Download
memory/4792-72-0x00007FFCD4E70000-0x00007FFCD4F45000-memory.dmp

Filesize
852KB

Download
memory/4792-73-0x000002248C420000-0x000002248C427000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads