dridex | a7354e5306bdf5dcadd84c2ecda098a0e18abde5a12a9ccb82b140e37dafc437

General

Target

a7354e5306bdf5dcadd84c2ecda098a0e18abde5a12a9ccb82b140e37dafc437.dll
Size

944KB
MD5

247c192832ca573cd01aadc171a9ee06
SHA1

c85533a89188096043caf1b880242d777b7b80ad
SHA256

a7354e5306bdf5dcadd84c2ecda098a0e18abde5a12a9ccb82b140e37dafc437
SHA512

7e45df90da0b2cbf23dc3c49e79fa297450b9978159c64e7adceb1fd4891fe60f4bd2d4079ac3378b2710fe2763a0cf5a164dcf8415cb26ecde8ef8333581c15
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3444-3-0x0000000002870000-0x0000000002871000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2532-1-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3444-24-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3444-35-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/2532-38-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/616-46-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/616-50-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/1008-62-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral2/memory/1008-66-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral2/memory/1988-81-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

msconfig.exedccw.exeSndVol.exe

pid process

616 msconfig.exe
1008 dccw.exe
1988 SndVol.exe
Loads dropped DLL 3 IoCs

Processes:

msconfig.exedccw.exeSndVol.exe

pid process

616 msconfig.exe
1008 dccw.exe
1988 SndVol.exe

pid	process
616	msconfig.exe
1008	dccw.exe
1988	SndVol.exe

pid	process
616	msconfig.exe
1008	dccw.exe
1988	SndVol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\Bvgxrk\\dccw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsconfig.exedccw.exeSndVol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2532	rundll32.exe
2532	rundll32.exe
2532	rundll32.exe
2532	rundll32.exe
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3444

pid	process
3444

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3444 wrote to memory of 2444	3444	msconfig.exe
PID 3444 wrote to memory of 2444	3444	msconfig.exe
PID 3444 wrote to memory of 616	3444	msconfig.exe
PID 3444 wrote to memory of 616	3444	msconfig.exe
PID 3444 wrote to memory of 3096	3444	dccw.exe
PID 3444 wrote to memory of 3096	3444	dccw.exe
PID 3444 wrote to memory of 1008	3444	dccw.exe
PID 3444 wrote to memory of 1008	3444	dccw.exe
PID 3444 wrote to memory of 1876	3444	SndVol.exe
PID 3444 wrote to memory of 1876	3444	SndVol.exe
PID 3444 wrote to memory of 1988	3444	SndVol.exe
PID 3444 wrote to memory of 1988	3444	SndVol.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7354e5306bdf5dcadd84c2ecda098a0e18abde5a12a9ccb82b140e37dafc437.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2444

C:\Users\Admin\AppData\Local\CQd\msconfig.exe
C:\Users\Admin\AppData\Local\CQd\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:616

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:3096

C:\Users\Admin\AppData\Local\VHkM7r\dccw.exe
C:\Users\Admin\AppData\Local\VHkM7r\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1008

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:1876

C:\Users\Admin\AppData\Local\YsMvLJ0x\SndVol.exe
C:\Users\Admin\AppData\Local\YsMvLJ0x\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CQd\VERSION.dll

Filesize
948KB

MD5
8fcbc3c07cec124e26b7cae4371003a5

SHA1
bf45768865270e501b4cc8abdb9957bbbb503762

SHA256
98e48a8d8d6b7b12dd3c9f287dcb5993f17a602891a8ce9ed677c12b60cb5a55

SHA512
8493fd658123f90cd43651924dcf82c8302626c6f310f8f285d573a76477bb2db7164ee8d064635ee193b8d09dae5bc285070880a11985b5fbffbf40eea4e6a9

Download Submit
C:\Users\Admin\AppData\Local\CQd\msconfig.exe

Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Local\VHkM7r\dccw.exe

Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\VHkM7r\mscms.dll

Filesize
952KB

MD5
e82a154a3f5be2811a69c5283d79e34d

SHA1
9460e77f381fdb46d51286543d9474af8f389700

SHA256
ef9c11216c164f3a2fbe8e162d7f573388bfe8ba30bd3023aa67396695649f46

SHA512
58645667fa71b86460eb80d20737a888b591a9a9d53e98a904fdf94b11e195dd19b7d31275a6302b62dd98d894caf8a1f8bcecf383a9dfd3cfde7a6ec55af621

Download Submit
C:\Users\Admin\AppData\Local\YsMvLJ0x\SndVol.exe

Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\YsMvLJ0x\dwmapi.dll

Filesize
948KB

MD5
dd93ac7cc273c9339bd7118ca7c2b48b

SHA1
fc2f7595e63966a02e2fd6cb9514ade36e720f04

SHA256
4cf4cf1122df60c3d50dcdaba24f49441032220f72c7fdbcb432b893e124aa69

SHA512
8b0df285c0dd3b796fd7eb6a81548a49c3058af3022a8cde09a62bda19f61adccbc34d31aa446832ef2a4a3a399751252e543162353bdf248cdd41b15314f147

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
7f187091bf8bd63c9fd9570d57c14051

SHA1
5a0d71ccc11a88f4f44de7780a6011c97447cd39

SHA256
187b82f22e1b356d71f5a782983ef23ccf9c36526391cec875bf343ced29142d

SHA512
bc4994c3e4fa91b5061f07a1ea3602f28316101e6c2fb3e4197ea15b0e0f55acd1e4d3e93565d682b734f818914f268db1535cb6484e781b37c66a4ed9e35e9c

Download Submit
memory/616-50-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/616-46-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/616-45-0x000002381F3C0000-0x000002381F3C7000-memory.dmp

Filesize
28KB

Download
memory/1008-61-0x0000018C4AF40000-0x0000018C4AF47000-memory.dmp

Filesize
28KB

Download
memory/1008-62-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1008-66-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1988-81-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/2532-0-0x0000022138C00000-0x0000022138C07000-memory.dmp

Filesize
28KB

Download
memory/2532-38-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2532-1-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-13-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-35-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-25-0x00007FFCED640000-0x00007FFCED650000-memory.dmp

Filesize
64KB

Download
memory/3444-26-0x00007FFCED630000-0x00007FFCED640000-memory.dmp

Filesize
64KB

Download
memory/3444-24-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-7-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-8-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-9-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-10-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-11-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-12-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-23-0x00000000008E0000-0x00000000008E7000-memory.dmp

Filesize
28KB

Download
memory/3444-14-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-15-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-6-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3444-5-0x00007FFCEBCDA000-0x00007FFCEBCDB000-memory.dmp

Filesize
4KB

Download
memory/3444-3-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads