dridex | 486becacbf7f93c89448318ceacafc3fff79c6caa82e3daf4091857b33326a57

General

Target

486becacbf7f93c89448318ceacafc3fff79c6caa82e3daf4091857b33326a57.dll
Size

940KB
MD5

11be54b786128e0cd33b731becbbdf42
SHA1

125ab787fdffe99ef10701ffc3b39f651324a9b5
SHA256

486becacbf7f93c89448318ceacafc3fff79c6caa82e3daf4091857b33326a57
SHA512

10b4229d9a37c2d1b2514c27c4e6525512220f29e6e056d47a1211720829a7edd5a7c996b7c29def21cc6296a96120b907725d8b78bff5686ce809ad9628d920
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1132-4-0x0000000002970000-0x0000000002971000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2236-0-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1132-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1132-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1132-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2236-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2604-53-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2604-57-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2500-74-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1256-90-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SndVol.exeBitLockerWizard.exeDWWIN.EXE

pid process

2604 SndVol.exe
2500 BitLockerWizard.exe
1256 DWWIN.EXE
Loads dropped DLL 7 IoCs

Processes:

SndVol.exeBitLockerWizard.exeDWWIN.EXE

pid process

1132
2604 SndVol.exe
1132
2500 BitLockerWizard.exe
1132
1256 DWWIN.EXE
1132

pid	process
2604	SndVol.exe
2500	BitLockerWizard.exe
1256	DWWIN.EXE

pid	process
1132
2604	SndVol.exe
1132
2500	BitLockerWizard.exe
1132
1256	DWWIN.EXE
1132

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\8Cym\\BITLOC~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSndVol.exeBitLockerWizard.exeDWWIN.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1132 wrote to memory of 2492	1132	SndVol.exe
PID 1132 wrote to memory of 2492	1132	SndVol.exe
PID 1132 wrote to memory of 2492	1132	SndVol.exe
PID 1132 wrote to memory of 2604	1132	SndVol.exe
PID 1132 wrote to memory of 2604	1132	SndVol.exe
PID 1132 wrote to memory of 2604	1132	SndVol.exe
PID 1132 wrote to memory of 2484	1132	BitLockerWizard.exe
PID 1132 wrote to memory of 2484	1132	BitLockerWizard.exe
PID 1132 wrote to memory of 2484	1132	BitLockerWizard.exe
PID 1132 wrote to memory of 2500	1132	BitLockerWizard.exe
PID 1132 wrote to memory of 2500	1132	BitLockerWizard.exe
PID 1132 wrote to memory of 2500	1132	BitLockerWizard.exe
PID 1132 wrote to memory of 2260	1132	DWWIN.EXE
PID 1132 wrote to memory of 2260	1132	DWWIN.EXE
PID 1132 wrote to memory of 2260	1132	DWWIN.EXE
PID 1132 wrote to memory of 1256	1132	DWWIN.EXE
PID 1132 wrote to memory of 1256	1132	DWWIN.EXE
PID 1132 wrote to memory of 1256	1132	DWWIN.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\486becacbf7f93c89448318ceacafc3fff79c6caa82e3daf4091857b33326a57.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2492

C:\Users\Admin\AppData\Local\99I\SndVol.exe
C:\Users\Admin\AppData\Local\99I\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2604

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2484

C:\Users\Admin\AppData\Local\wAvQFqmd2\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\wAvQFqmd2\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2500

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:2260

C:\Users\Admin\AppData\Local\MVd\DWWIN.EXE
C:\Users\Admin\AppData\Local\MVd\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\99I\dwmapi.dll

Filesize
944KB

MD5
e690e40f73bbf61e1467beab34d5557e

SHA1
893f3f86d68644b54dcbc96b9bd1358f16c805a8

SHA256
90b83b92e09625414493a53bd9ef5d8797d376b4f2332bb24a9bbf125265ff69

SHA512
9d6e45a54e60bc4738aa8e4d547fb77497bce1dc7b2eb5b732297a254f0aaabad1c1f7e078a51991d85311f909bf64fbd06cf58afea0f6b7ca9cc52a0fbe380a

Download Submit
C:\Users\Admin\AppData\Local\MVd\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\MVd\wer.dll

Filesize
944KB

MD5
cdd4176035fff73f152648ed5a7ff7ec

SHA1
f3ec434955bf94b591b7b06e002b07856880a29e

SHA256
c80dfe8fda86b8edd21dc97a7f0bec42a431e6608af892f472c04e5b9675bd88

SHA512
141442ca3da71b656f0069b8647026609a730231ebb122308d19e2329ddaea4013668dd1b7d10a141f8899b8835db1da4d52ff1dcd58e31e446156bf48bb1e90

Download Submit
C:\Users\Admin\AppData\Local\wAvQFqmd2\FVEWIZ.dll

Filesize
944KB

MD5
63024cc6eaed801b4282c3a5679c7c42

SHA1
06d387c39460bbc68cb0c915af64482d4e4e95d9

SHA256
5c637e35b28e47d4fbd12083cf38990dc5e98893d28c8bb505bd8fffc06ff912

SHA512
fa0a42e30eb888cd367715dac07b4aa523af0bf68cee3b51302fc0d5205ea8f58cac54dcb5de2549ca36c96b771e4a9ca57267db14c10ed1779cf3267452ab26

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1003B

MD5
04ef9e41ba044178d3aeb14bacdf56b9

SHA1
c973d2170bb54468c2e1508bfa5ba3ca583687de

SHA256
35105a695a0f0b628011d8e1249fde9de48c2ebd3033c6459bf87e900991439d

SHA512
c1bc93722536091140118ca49d73eb14fb6113c7191c70f80917e826e4b9680d12e425fbe1d8a26b25e27cc669cde87f4ddd515d9107b9e2ba005782f581a404

Download Submit
\Users\Admin\AppData\Local\99I\SndVol.exe

Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\wAvQFqmd2\BitLockerWizard.exe

Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
memory/1132-25-0x0000000077730000-0x0000000077732000-memory.dmp

Filesize
8KB

Download
memory/1132-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-26-0x0000000077760000-0x0000000077762000-memory.dmp

Filesize
8KB

Download
memory/1132-3-0x00000000774C6000-0x00000000774C7000-memory.dmp

Filesize
4KB

Download
memory/1132-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-4-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1132-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-19-0x0000000002980000-0x0000000002987000-memory.dmp

Filesize
28KB

Download
memory/1132-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1132-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1256-90-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2236-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2236-1-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2236-0-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2500-71-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2500-74-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2604-57-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2604-53-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2604-52-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads