dridex | 486becacbf7f93c89448318ceacafc3fff79c6caa82e3daf4091857b33326a57

General

Target

486becacbf7f93c89448318ceacafc3fff79c6caa82e3daf4091857b33326a57.dll
Size

940KB
MD5

11be54b786128e0cd33b731becbbdf42
SHA1

125ab787fdffe99ef10701ffc3b39f651324a9b5
SHA256

486becacbf7f93c89448318ceacafc3fff79c6caa82e3daf4091857b33326a57
SHA512

10b4229d9a37c2d1b2514c27c4e6525512220f29e6e056d47a1211720829a7edd5a7c996b7c29def21cc6296a96120b907725d8b78bff5686ce809ad9628d920
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3488-3-0x0000000000D10000-0x0000000000D11000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1804-1-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3488-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3488-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/1804-38-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3380-46-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3380-50-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/1144-66-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/2332-81-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

ie4ushowIE.exeApplySettingsTemplateCatalog.exeApplySettingsTemplateCatalog.exe

pid process

3380 ie4ushowIE.exe
1144 ApplySettingsTemplateCatalog.exe
2332 ApplySettingsTemplateCatalog.exe
Loads dropped DLL 3 IoCs

Processes:

ie4ushowIE.exeApplySettingsTemplateCatalog.exeApplySettingsTemplateCatalog.exe

pid process

3380 ie4ushowIE.exe
1144 ApplySettingsTemplateCatalog.exe
2332 ApplySettingsTemplateCatalog.exe

pid	process
3380	ie4ushowIE.exe
1144	ApplySettingsTemplateCatalog.exe
2332	ApplySettingsTemplateCatalog.exe

pid	process
3380	ie4ushowIE.exe
1144	ApplySettingsTemplateCatalog.exe
2332	ApplySettingsTemplateCatalog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3442511616-637977696-3186306149-1000\\Oehzgt8vN\\ApplySettingsTemplateCatalog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeie4ushowIE.exeApplySettingsTemplateCatalog.exeApplySettingsTemplateCatalog.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3488
3488

pid	process
3488
3488

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3488 wrote to memory of 804	3488	ie4ushowIE.exe
PID 3488 wrote to memory of 804	3488	ie4ushowIE.exe
PID 3488 wrote to memory of 3380	3488	ie4ushowIE.exe
PID 3488 wrote to memory of 3380	3488	ie4ushowIE.exe
PID 3488 wrote to memory of 2464	3488	ApplySettingsTemplateCatalog.exe
PID 3488 wrote to memory of 2464	3488	ApplySettingsTemplateCatalog.exe
PID 3488 wrote to memory of 1144	3488	ApplySettingsTemplateCatalog.exe
PID 3488 wrote to memory of 1144	3488	ApplySettingsTemplateCatalog.exe
PID 3488 wrote to memory of 2056	3488	ApplySettingsTemplateCatalog.exe
PID 3488 wrote to memory of 2056	3488	ApplySettingsTemplateCatalog.exe
PID 3488 wrote to memory of 2332	3488	ApplySettingsTemplateCatalog.exe
PID 3488 wrote to memory of 2332	3488	ApplySettingsTemplateCatalog.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\486becacbf7f93c89448318ceacafc3fff79c6caa82e3daf4091857b33326a57.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:804

C:\Users\Admin\AppData\Local\QjueNTj\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\QjueNTj\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3380

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:2464

C:\Users\Admin\AppData\Local\Wzu3top\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\Wzu3top\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1144

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:2056

C:\Users\Admin\AppData\Local\KBqy\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\KBqy\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KBqy\ACTIVEDS.dll

Filesize
944KB

MD5
61d6e81d0e2b371f29cd7cfc750bbff5

SHA1
a4c4ea5dbadcd03e79acf39c0dd68e7172511fb8

SHA256
5c3ef21e122e75fabc95aa9f57fc6f61ab396fb4c798a08f759a1d41d78e51b1

SHA512
dc3f2d7c216ba1b33af07caebf3522d875ceeb44962cdb0081c3eaf3ccf38389afec62002d2bbd0a7072a9de48b8a6f53347e5c7d8674aa33936ae1a87ca38da

Download Submit
C:\Users\Admin\AppData\Local\QjueNTj\VERSION.dll

Filesize
944KB

MD5
cf70b757efb4e9738236e078f15c620b

SHA1
dee2ff6eddc9c83834c91baf4727e0bfe41d2116

SHA256
7efd37b81dfccb65634603bcb817a46686805e89c4bdf9791ce2ffcd9c328cd6

SHA512
8d5dc5665e654706efb8362f6fa606d06064a51d2d2bb5a4a5a3ed139499d3ce9db645ae4b4330d3cc97f8293cb6d60fc82137b8cbc9f695265c3f8f3d89a3da

Download Submit
C:\Users\Admin\AppData\Local\QjueNTj\ie4ushowIE.exe

Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\Wzu3top\ACTIVEDS.dll

Filesize
944KB

MD5
e16e041cea43ee5d92799c0e057af303

SHA1
d7f174aecc552a97e28cfa6be8dcb106116bbf3e

SHA256
f40545f4d2001da84be2a9f3b8889ad921d42f64d619286929e73f2c3fabe319

SHA512
e3fd7d6cf283a63026d35ff6e746abdc3ad2c34894b3c01d33878b3c2a5be351ec3cf8e28133de0c9b3e712b40c0db32058b6c4a4d7a9d1a4146aa88f381e258

Download Submit
C:\Users\Admin\AppData\Local\Wzu3top\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
032dc545bc71623c3d2770dffa87b4f0

SHA1
f279f03325a5b8d4b9221a259be479c2ae4d1b16

SHA256
ceb31e6b2882835114e6390d44cf5930408fdee5a6583800f7d8957d31c05a04

SHA512
ea5ba452a8abefbce4d9e87ecc41e8ab93837e70e52b0e4d9a626f0ef13f28826c161766f542712aa54f966798c0d6198f5ec402008184b0ebdc568e990c4aae

Download Submit
memory/1144-61-0x0000016612A10000-0x0000016612A17000-memory.dmp

Filesize
28KB

Download
memory/1144-66-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1804-38-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1804-0-0x0000026CC93B0000-0x0000026CC93B7000-memory.dmp

Filesize
28KB

Download
memory/1804-1-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2332-81-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3380-45-0x0000019A788C0000-0x0000019A788C7000-memory.dmp

Filesize
28KB

Download
memory/3380-50-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3380-46-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3488-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-25-0x00007FFD85CC0000-0x00007FFD85CD0000-memory.dmp

Filesize
64KB

Download
memory/3488-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-26-0x00007FFD85CB0000-0x00007FFD85CC0000-memory.dmp

Filesize
64KB

Download
memory/3488-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-23-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

Filesize
28KB

Download
memory/3488-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3488-5-0x00007FFD8583A000-0x00007FFD8583B000-memory.dmp

Filesize
4KB

Download
memory/3488-3-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads