dridex | 299ca619e685fd6048d3e32a1e87442a7c0452851d0a10d1917e9599701d95cb

General

Target

299ca619e685fd6048d3e32a1e87442a7c0452851d0a10d1917e9599701d95cb.dll
Size

940KB
MD5

f31d12c6f9c83ee5bc000f73237d823d
SHA1

9524ee61a2d9bd0f246ea128226d9b06ff4275d8
SHA256

299ca619e685fd6048d3e32a1e87442a7c0452851d0a10d1917e9599701d95cb
SHA512

8b59d757c0f00e6c65515bb1374f4bccd20e419ffc5c9b19ca90e275d4222bd9f53849cce7e349fdb03bf2092beb3b1321d7049662beb95a4bf5fc503ee6ce90
SSDEEP

12288:wPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:wtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-4-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2888-0-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1188-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2888-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1188-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1188-38-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/396-54-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/396-57-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/2564-68-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2564-72-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2176-88-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

Magnify.exefveprompt.exeSndVol.exe

pid process

396 Magnify.exe
2564 fveprompt.exe
2176 SndVol.exe
Loads dropped DLL 7 IoCs

Processes:

Magnify.exefveprompt.exeSndVol.exe

pid process

1188
396 Magnify.exe
1188
2564 fveprompt.exe
1188
2176 SndVol.exe
1188

pid	process
396	Magnify.exe
2564	fveprompt.exe
2176	SndVol.exe

pid	process
1188
396	Magnify.exe
1188
2564	fveprompt.exe
1188
2176	SndVol.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\I2Q9uOr\\FVEPRO~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeMagnify.exefveprompt.exeSndVol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2888	rundll32.exe
2888	rundll32.exe
2888	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1188 wrote to memory of 1056	1188	Magnify.exe
PID 1188 wrote to memory of 1056	1188	Magnify.exe
PID 1188 wrote to memory of 1056	1188	Magnify.exe
PID 1188 wrote to memory of 396	1188	Magnify.exe
PID 1188 wrote to memory of 396	1188	Magnify.exe
PID 1188 wrote to memory of 396	1188	Magnify.exe
PID 1188 wrote to memory of 2844	1188	fveprompt.exe
PID 1188 wrote to memory of 2844	1188	fveprompt.exe
PID 1188 wrote to memory of 2844	1188	fveprompt.exe
PID 1188 wrote to memory of 2564	1188	fveprompt.exe
PID 1188 wrote to memory of 2564	1188	fveprompt.exe
PID 1188 wrote to memory of 2564	1188	fveprompt.exe
PID 1188 wrote to memory of 1304	1188	SndVol.exe
PID 1188 wrote to memory of 1304	1188	SndVol.exe
PID 1188 wrote to memory of 1304	1188	SndVol.exe
PID 1188 wrote to memory of 2176	1188	SndVol.exe
PID 1188 wrote to memory of 2176	1188	SndVol.exe
PID 1188 wrote to memory of 2176	1188	SndVol.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\299ca619e685fd6048d3e32a1e87442a7c0452851d0a10d1917e9599701d95cb.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:1056

C:\Users\Admin\AppData\Local\N0kX2OP\Magnify.exe
C:\Users\Admin\AppData\Local\N0kX2OP\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:396

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Local\7qloOgV\fveprompt.exe
C:\Users\Admin\AppData\Local\7qloOgV\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2564

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:1304

C:\Users\Admin\AppData\Local\qQo90ebrb\SndVol.exe
C:\Users\Admin\AppData\Local\qQo90ebrb\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7qloOgV\slc.dll

Filesize
944KB

MD5
4e8d8891f0c51d37a851923d3ce131f3

SHA1
605619ccf5652e5b5fa312b461d079433b8b687e

SHA256
ad7275b3260c2309a0ae05087585c4ad95e00d865af6489976de1ce73e10a051

SHA512
c01f15cf2d89d21c14883a8a5779f3177f374723656d081cd2376b6b1a80e3f2e8a6b684d81bee07293f8d9dee24d19cf0d0ae0d91d1d021fb6c88a7eadfb22f

Download Submit
C:\Users\Admin\AppData\Local\N0kX2OP\DUI70.dll

Filesize
1.1MB

MD5
fbea4d85cea0ee3537f26490a5a056df

SHA1
1cbf9d0003f699228b21433b850405537469ce22

SHA256
192bf1ab36471246df326a40c2aa94d906d57a3ca563717e6c6e38ed46d019a3

SHA512
a3b9df6523f999f85e3be02fe8492d9f06b505f9b2b8752fa0d577ff779f1d2f6814348068fc95c2f0455f2b04f04da10fd6473370575f459a3753e27af189cf

Download Submit
C:\Users\Admin\AppData\Local\N0kX2OP\Magnify.exe

Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
C:\Users\Admin\AppData\Local\qQo90ebrb\dwmapi.dll

Filesize
944KB

MD5
06e7ec100506068ba0f415b378b33280

SHA1
60fd1014be1c939335e39a811e2b3db7e751828e

SHA256
6d99b86a9af92e5177119612f8654631b1aaeaeb7d2b8a1106b8eb836832f6e3

SHA512
69b3d303bdae920ab772baff4ab4498e2b1af1dbd8dd6c3af727996ccf81af7515f9b2df7938c461123fe8da52638f67f6970721154d513b8255bae06e168e31

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
eb26e77e037e0e90debb9b942715e9a5

SHA1
3bedd1149ec74fcbbe810c22d6cb85f76fa04300

SHA256
03a70cc83a069c727f004bd9259ee122be847d10eb5248e23473672e676b38ee

SHA512
15bf7e2b8a582065a5ecb10002ab16e6cd7da6b59cfc1158303f53ce75374ae5bca0361821ba7e2e19f66262abdc0a11f87e9c5bfabf9d4631f69d6fe13c9e8c

Download Submit
\Users\Admin\AppData\Local\7qloOgV\fveprompt.exe

Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\qQo90ebrb\SndVol.exe

Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
memory/396-57-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/396-54-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/396-53-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1188-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-26-0x0000000077020000-0x0000000077022000-memory.dmp

Filesize
8KB

Download
memory/1188-25-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/1188-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1188-38-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-45-0x0000000076D86000-0x0000000076D87000-memory.dmp

Filesize
4KB

Download
memory/1188-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-3-0x0000000076D86000-0x0000000076D87000-memory.dmp

Filesize
4KB

Download
memory/1188-23-0x0000000002590000-0x0000000002597000-memory.dmp

Filesize
28KB

Download
memory/1188-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2176-88-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2564-67-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2564-72-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2564-68-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2888-0-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2888-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2888-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads