dridex | c68637d8f73c08e90207227784560ee2b64bdc78527e58aeee66d780915cedb4

General

Target

c68637d8f73c08e90207227784560ee2b64bdc78527e58aeee66d780915cedb4.dll
Size

1.7MB
MD5

1b27f30b823c59968581b70c08e55337
SHA1

c3f4fa24983e341b0bfeb31c53189a87e1145c86
SHA256

c68637d8f73c08e90207227784560ee2b64bdc78527e58aeee66d780915cedb4
SHA512

55a7f0686786f8e735f5eaa150a1f5dedb8fbad662892ce71fa950e1160966b7f5bfb8827eab3a46d9f20abf0a6ea89f3c33da9bb55c07ca6310ab5aab4dca29
SSDEEP

12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1q:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3532-4-0x0000000007140000-0x0000000007141000-memory.dmp	dridex_stager_shellcode

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vwzV6I
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vwzV6I\UxTheme.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vwzV6I\Taskmgr.exe

Executes dropped EXE 4 IoCs

Processes:

Narrator.exeMusNotificationUx.exeeudcedit.exeTaskmgr.exe

pid process

3808 Narrator.exe
3700 MusNotificationUx.exe
3492 eudcedit.exe
2096 Taskmgr.exe
Loads dropped DLL 3 IoCs

Processes:

MusNotificationUx.exeeudcedit.exeTaskmgr.exe

pid process

3700 MusNotificationUx.exe
3492 eudcedit.exe
2096 Taskmgr.exe

pid	process
3808	Narrator.exe
3700	MusNotificationUx.exe
3492	eudcedit.exe
2096	Taskmgr.exe

pid	process
3700	MusNotificationUx.exe
3492	eudcedit.exe
2096	Taskmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iwctvdcrnln = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\Deployment\\jxU3e91\\eudcedit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeMusNotificationUx.exeeudcedit.exeTaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4664	rundll32.exe
4664	rundll32.exe
4664	rundll32.exe
4664	rundll32.exe
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532
Token: SeShutdownPrivilege	3532
Token: SeCreatePagefilePrivilege	3532

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3532
3532
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3532

pid	process
3532
3532

pid	process
3532

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 3532 wrote to memory of 3512	3532	Narrator.exe
PID 3532 wrote to memory of 3512	3532	Narrator.exe
PID 3532 wrote to memory of 1568	3532	MusNotificationUx.exe
PID 3532 wrote to memory of 1568	3532	MusNotificationUx.exe
PID 3532 wrote to memory of 3700	3532	MusNotificationUx.exe
PID 3532 wrote to memory of 3700	3532	MusNotificationUx.exe
PID 3532 wrote to memory of 1488	3532	eudcedit.exe
PID 3532 wrote to memory of 1488	3532	eudcedit.exe
PID 3532 wrote to memory of 3492	3532	eudcedit.exe
PID 3532 wrote to memory of 3492	3532	eudcedit.exe
PID 3532 wrote to memory of 3748	3532	Taskmgr.exe
PID 3532 wrote to memory of 3748	3532	Taskmgr.exe
PID 3532 wrote to memory of 2096	3532	Taskmgr.exe
PID 3532 wrote to memory of 2096	3532	Taskmgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c68637d8f73c08e90207227784560ee2b64bdc78527e58aeee66d780915cedb4.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:3512

C:\Users\Admin\AppData\Local\xSlQw9ic\Narrator.exe
C:\Users\Admin\AppData\Local\xSlQw9ic\Narrator.exe
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\73cSqx\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\73cSqx\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3700

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:1488

C:\Users\Admin\AppData\Local\nWf\eudcedit.exe
C:\Users\Admin\AppData\Local\nWf\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3492

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:3748

C:\Users\Admin\AppData\Local\EkuHvSme\Taskmgr.exe
C:\Users\Admin\AppData\Local\EkuHvSme\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\73cSqx\MusNotificationUx.exe
Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\73cSqx\XmlLite.dll
Filesize
1.7MB

MD5
d836fda4a90c27505a82732416ca8786

SHA1
228dc75b78d8a4119bfc833da5a7a3f44e32f159

SHA256
ea9ba9fd3cdd0b3f4d19f87f4e99a86964b9c2bb95ab69c65e89360d16d93299

SHA512
3f8504d225f477d69dc0be847701b6337bbe6e298175b508c60a13ba93c4c7d8b852ec3747263aede90d9b1b5d2a12558fee2bd827d7a45446fde24cfe47a9cb

Download Submit
C:\Users\Admin\AppData\Local\EkuHvSme\Taskmgr.exe
Filesize
1.2MB

MD5
58d5bc7895f7f32ee308e34f06f25dd5

SHA1
7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4

SHA256
4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478

SHA512
872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

Download Submit
C:\Users\Admin\AppData\Local\EkuHvSme\UxTheme.dll
Filesize
1.7MB

MD5
41c26ec5d3ccb2ef5d8f31752fc942b1

SHA1
29e7ae239ce35c3f35d166e4e4dcb2c43fb56a53

SHA256
633752bb6d0ff5a7926ab66dcec1321d071b181df6390682e64986c1ac667e07

SHA512
6abcb91bd4ee6b5bf2c16999fc1df9d48ccc42aab4d1ad66eafa5ec01a437966a3962fee646e0288843cbe69291af988a82758d96dca8ca4adfc2d06c08cfc3d

Download Submit
C:\Users\Admin\AppData\Local\nWf\MFC42u.dll
Filesize
1.7MB

MD5
96f9cfcf7d11b7ce92a14b136286f026

SHA1
cd9fbddc7822ebdd35e6e66f74a68605254b6551

SHA256
270e40326d0a182588775e6edc7beffbfc733bc8bca2ad4647b983bf54629f86

SHA512
06a47c8d89b80d871fe1f1cb0540f4b7871c4c7de46e22450fd014a0e93640355b67ffdec9d6a27cb6f2728be1f03fb13fd1495334e101ccc7c38c5a6a5b8f30

Download Submit
C:\Users\Admin\AppData\Local\nWf\eudcedit.exe
Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Local\xSlQw9ic\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Puokv.lnk
Filesize
1KB

MD5
4d877d9ce746203c7ada156b96064721

SHA1
0a6afa009b83120d235e9bbd9e095cb658d0b0ef

SHA256
0210b4ef1d9da487da6df0745d40e951eadbe149d4525a535e29adc2e94c73b7

SHA512
0955488bc0b246c799d23c656a5f3f00f6c557041d05c4a4a5d9c76f4d3e0c7e4541cb395d23ed2fb31b3ba465c840c1be9096fe5dc1e03ec880e36c1d878d8f

Download Submit
memory/3492-108-0x000001F7C1B80000-0x000001F7C1B87000-memory.dmp

Filesize
28KB

Download
memory/3532-42-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-33-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-32-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-31-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-30-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-29-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-27-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-28-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-25-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-69-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-67-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-61-0x00007FF978040000-0x00007FF978050000-memory.dmp

Filesize
64KB

Download
memory/3532-60-0x0000000007120000-0x0000000007127000-memory.dmp

Filesize
28KB

Download
memory/3532-19-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-13-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-12-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-11-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-56-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-49-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-48-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-47-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-46-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-45-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-6-0x00007FF977DFA000-0x00007FF977DFB000-memory.dmp

Filesize
4KB

Download
memory/3532-41-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-40-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-39-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-34-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-7-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-26-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-24-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-23-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-22-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-21-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-20-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-35-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-4-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/3532-10-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-36-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-16-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-37-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-18-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-17-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-15-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-44-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-43-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-9-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-38-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3532-14-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3700-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3700-92-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3700-91-0x0000021C87C90000-0x0000021C87C97000-memory.dmp

Filesize
28KB

Download
memory/4664-0-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4664-3-0x000002A490420000-0x000002A490427000-memory.dmp

Filesize
28KB

Download
memory/4664-8-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads