dridex | a7354e5306bdf5dcadd84c2ecda098a0e18abde5a12a9ccb82b140e37dafc437

General

Target

a7354e5306bdf5dcadd84c2ecda098a0e18abde5a12a9ccb82b140e37dafc437.dll
Size

944KB
MD5

247c192832ca573cd01aadc171a9ee06
SHA1

c85533a89188096043caf1b880242d777b7b80ad
SHA256

a7354e5306bdf5dcadd84c2ecda098a0e18abde5a12a9ccb82b140e37dafc437
SHA512

7e45df90da0b2cbf23dc3c49e79fa297450b9978159c64e7adceb1fd4891fe60f4bd2d4079ac3378b2710fe2763a0cf5a164dcf8415cb26ecde8ef8333581c15
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1180-4-0x0000000002A00000-0x0000000002A01000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/3032-1-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1180-24-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1180-36-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1180-35-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/3032-44-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2752-53-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral1/memory/2752-58-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral1/memory/396-75-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral1/memory/2952-87-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral1/memory/2952-91-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SoundRecorder.exeiexpress.exeFXSCOVER.exe

pid process

2752 SoundRecorder.exe
396 iexpress.exe
2952 FXSCOVER.exe
Loads dropped DLL 7 IoCs

Processes:

SoundRecorder.exeiexpress.exeFXSCOVER.exe

pid process

1180
2752 SoundRecorder.exe
1180
396 iexpress.exe
1180
2952 FXSCOVER.exe
1180

pid	process
2752	SoundRecorder.exe
396	iexpress.exe
2952	FXSCOVER.exe

pid	process
1180
2752	SoundRecorder.exe
1180
396	iexpress.exe
1180
2952	FXSCOVER.exe
1180

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\sMdC\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SoundRecorder.exeiexpress.exeFXSCOVER.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3032	rundll32.exe
3032	rundll32.exe
3032	rundll32.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1180 wrote to memory of 2708	1180	SoundRecorder.exe
PID 1180 wrote to memory of 2708	1180	SoundRecorder.exe
PID 1180 wrote to memory of 2708	1180	SoundRecorder.exe
PID 1180 wrote to memory of 2752	1180	SoundRecorder.exe
PID 1180 wrote to memory of 2752	1180	SoundRecorder.exe
PID 1180 wrote to memory of 2752	1180	SoundRecorder.exe
PID 1180 wrote to memory of 2148	1180	iexpress.exe
PID 1180 wrote to memory of 2148	1180	iexpress.exe
PID 1180 wrote to memory of 2148	1180	iexpress.exe
PID 1180 wrote to memory of 396	1180	iexpress.exe
PID 1180 wrote to memory of 396	1180	iexpress.exe
PID 1180 wrote to memory of 396	1180	iexpress.exe
PID 1180 wrote to memory of 2396	1180	FXSCOVER.exe
PID 1180 wrote to memory of 2396	1180	FXSCOVER.exe
PID 1180 wrote to memory of 2396	1180	FXSCOVER.exe
PID 1180 wrote to memory of 2952	1180	FXSCOVER.exe
PID 1180 wrote to memory of 2952	1180	FXSCOVER.exe
PID 1180 wrote to memory of 2952	1180	FXSCOVER.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7354e5306bdf5dcadd84c2ecda098a0e18abde5a12a9ccb82b140e37dafc437.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2708

C:\Users\Admin\AppData\Local\QMV83M\SoundRecorder.exe
C:\Users\Admin\AppData\Local\QMV83M\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2752

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2148

C:\Users\Admin\AppData\Local\TvlxY0Kpl\iexpress.exe
C:\Users\Admin\AppData\Local\TvlxY0Kpl\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:396

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:2396

C:\Users\Admin\AppData\Local\tOLca9\FXSCOVER.exe
C:\Users\Admin\AppData\Local\tOLca9\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QMV83M\UxTheme.dll

Filesize
948KB

MD5
3b91d5861f5095d5bc32faf3951441b5

SHA1
27db5dce0b264ceabb4b18d8c7648d9edc89ac2d

SHA256
a486789064a4e5b9b968a4408a5d0b6125bb27adf1c821bc36933ceae4a3e027

SHA512
9bb2b507ae603b027532ab6f724cef8bfbc54312162b35441e2090423c300f8f04d7c0e026fe9dd2bffddf6ddb63fb326e978812784b3f9e35febb9a136a8c88

Download Submit
C:\Users\Admin\AppData\Local\TvlxY0Kpl\VERSION.dll

Filesize
948KB

MD5
e6abd5228b0974d39f1fb1fb165e4150

SHA1
6dd57d6ae1f88d06893c2f8b4410c846acbea2ae

SHA256
8a24894f0139814b065894687563193ef746bac1a503a6204fe822b27b1e9c43

SHA512
0db35a46ddd62e0fc44cba7ccddf7e2695a6bd390d37570dd8e84539704cfb6f059b6583af52d7f01e2cfc0ae36e67b794fff030024646d6b705860c0519f7c3

Download Submit
C:\Users\Admin\AppData\Local\tOLca9\MFC42u.dll

Filesize
972KB

MD5
9c99e8b442f3e0ce6cdd643a19452159

SHA1
0655030bfef14d45167afd357be6d03804e804a7

SHA256
e3d621f42bdaf8dfc8f6f125ebd4ade66de680ade4308523c7986ac3d91f21d4

SHA512
27e85118c7703b70e3f0e64bff1499f3d1e5af764e3b5e25d51eb93a99c16a776b7414c203cc8e19966f5a70ad0e90f522011fba72fae5daf1474410164839fc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
940B

MD5
ce0064c4607328cd6e6d0194c6d6559e

SHA1
e312c93c0708e0f9283320435e433298fef83e74

SHA256
13bb4367958b45dfa4e4f6f439b25e96cd6725bdfb45ef0478dbaee431102c08

SHA512
5a74cd75425deabc98b75022fa6195828684a03c74418661e467820ab3ef259968a6b0e06bf22b18584676a77d9fb0c7ffc3a0ba7a09d2ac4e5705ab01346423

Download Submit
\Users\Admin\AppData\Local\QMV83M\SoundRecorder.exe

Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
\Users\Admin\AppData\Local\TvlxY0Kpl\iexpress.exe

Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\tOLca9\FXSCOVER.exe

Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
memory/396-75-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/396-70-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1180-13-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-15-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-11-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-10-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-9-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-8-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-24-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-26-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/1180-25-0x0000000077CE0000-0x0000000077CE2000-memory.dmp

Filesize
8KB

Download
memory/1180-36-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-35-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-3-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/1180-45-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/1180-4-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1180-14-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-6-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-7-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-12-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1180-23-0x0000000002770000-0x0000000002777000-memory.dmp

Filesize
28KB

Download
memory/2752-58-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/2752-55-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2752-53-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/2952-87-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/2952-91-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3032-0-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/3032-44-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3032-1-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads