dridex | 9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3

General

Target

9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3.dll
Size

940KB
MD5

33542753fda57b6a2eb61fcf509298d3
SHA1

ae14ea0f0e01de7ef2f4ff2e60361f1065853616
SHA256

9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3
SHA512

f664c54e9f1efe596219f4abb442d93eae6723dd377739323b619d229b4d8ded802c6b4e5a22227b8498692a4faed9c83bf4e5b82ba1e1644520140b18c6eec3
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3456-3-0x00000000024D0000-0x00000000024D1000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1560-0-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3456-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3456-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/1560-38-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/2980-45-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/2980-50-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3360-66-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/4248-81-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

recdisc.exeSystemPropertiesRemote.exeCustomShellHost.exe

pid process

2980 recdisc.exe
3360 SystemPropertiesRemote.exe
4248 CustomShellHost.exe
Loads dropped DLL 3 IoCs

Processes:

recdisc.exeSystemPropertiesRemote.exeCustomShellHost.exe

pid process

2980 recdisc.exe
3360 SystemPropertiesRemote.exe
4248 CustomShellHost.exe

pid	process
2980	recdisc.exe
3360	SystemPropertiesRemote.exe
4248	CustomShellHost.exe

pid	process
2980	recdisc.exe
3360	SystemPropertiesRemote.exe
4248	CustomShellHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\NzYo\\SystemPropertiesRemote.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesRemote.exeCustomShellHost.exerundll32.exerecdisc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3456
3456

pid	process
3456
3456

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3456 wrote to memory of 3624	3456	recdisc.exe
PID 3456 wrote to memory of 3624	3456	recdisc.exe
PID 3456 wrote to memory of 2980	3456	recdisc.exe
PID 3456 wrote to memory of 2980	3456	recdisc.exe
PID 3456 wrote to memory of 1932	3456	SystemPropertiesRemote.exe
PID 3456 wrote to memory of 1932	3456	SystemPropertiesRemote.exe
PID 3456 wrote to memory of 3360	3456	SystemPropertiesRemote.exe
PID 3456 wrote to memory of 3360	3456	SystemPropertiesRemote.exe
PID 3456 wrote to memory of 2332	3456	CustomShellHost.exe
PID 3456 wrote to memory of 2332	3456	CustomShellHost.exe
PID 3456 wrote to memory of 4248	3456	CustomShellHost.exe
PID 3456 wrote to memory of 4248	3456	CustomShellHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:3624

C:\Users\Admin\AppData\Local\8GNoOE\recdisc.exe
C:\Users\Admin\AppData\Local\8GNoOE\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2980

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:1932

C:\Users\Admin\AppData\Local\Eep\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\Eep\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3360

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:2332

C:\Users\Admin\AppData\Local\VlN7i2\CustomShellHost.exe
C:\Users\Admin\AppData\Local\VlN7i2\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8GNoOE\ReAgent.dll

Filesize
944KB

MD5
c29deccf01e80e89f2c070a0719780e2

SHA1
8c174031e7297e6628c64ccab6468fa2d4ac7919

SHA256
dad70a793428d1ab65d01292272d00aaf57adac4949462257a8323d84652b6bf

SHA512
2603714591920545b467a08f8f4f27e960edb0463400d40667ffe24e5d170a77dcfd46c0e2b00c0a9df967637675f07b6638dc2102e582bee0e0543a2cb5ece2

Download Submit
C:\Users\Admin\AppData\Local\8GNoOE\recdisc.exe

Filesize
193KB

MD5
18afee6824c84bf5115bada75ff0a3e7

SHA1
d10f287a7176f57b3b2b315a5310d25b449795aa

SHA256
0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

SHA512
517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

Download Submit
C:\Users\Admin\AppData\Local\Eep\SYSDM.CPL

Filesize
944KB

MD5
74816628d0c2dab398cf14e4cfde3114

SHA1
7a39aef01ccfd4b69dbbe28c757f4c6957e9ef4a

SHA256
2c10e8f6752e66747e42388e0deaa44c50a752d2e4a1dced61ba86435267a0ea

SHA512
3b8dbacbce8b83e6d8f1e0f3a40124cc7c953d180ac0e01750f75bc5c538fc10395f323543320b9a9643f363f515e74516b87313976620c14a5fbd79e41fd44d

Download Submit
C:\Users\Admin\AppData\Local\Eep\SystemPropertiesRemote.exe

Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Local\VlN7i2\CustomShellHost.exe

Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\VlN7i2\WTSAPI32.dll

Filesize
944KB

MD5
cc3a5c55eabfa39d79d7acab0781de7c

SHA1
f946b8c7259712bb1ebdd2dc39116852e3640603

SHA256
15718b4e82d2c176718f419c06fa1e70bac5e17d3440dcacc49c698956d7cae8

SHA512
ea458e156c29944ee1e8329a6b2f5c5877cb6ce7e4a1b51e0779aee718cb8ce3ab1f91d95f39f769eeae3a08108f7aa51e6b83800566e431aeda115a0c1a0cb0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
f821e9ada2ec37f3a24b902f810c7792

SHA1
e9702cc7f595580794d0ed401635747713050ec6

SHA256
e77c146e3e855e9cb9a06f8e2f8e98a636b0e6d457ac6ab2d8fe3ba7ed205c5b

SHA512
65de98392336431c2d3e5f62f62cfbb6bb25148b7f76f9b358a6b22904e398831ea6c3c3a9913d9df60ed419830f17498842cdacd2a7fd6a28e82d9590805068

Download Submit
memory/1560-0-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1560-38-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1560-2-0x000001F644040000-0x000001F644047000-memory.dmp

Filesize
28KB

Download
memory/2980-50-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2980-45-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2980-47-0x0000029AAA1C0000-0x0000029AAA1C7000-memory.dmp

Filesize
28KB

Download
memory/3360-61-0x0000023964890000-0x0000023964897000-memory.dmp

Filesize
28KB

Download
memory/3360-66-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3456-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-14-0x00007FFA4B8BA000-0x00007FFA4B8BB000-memory.dmp

Filesize
4KB

Download
memory/3456-5-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-3-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3456-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-26-0x00007FFA4D1B0000-0x00007FFA4D1C0000-memory.dmp

Filesize
64KB

Download
memory/3456-25-0x00007FFA4D1C0000-0x00007FFA4D1D0000-memory.dmp

Filesize
64KB

Download
memory/3456-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-23-0x0000000000720000-0x0000000000727000-memory.dmp

Filesize
28KB

Download
memory/3456-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3456-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/4248-81-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads