dridex | 06618db79b292fe5270cdf536e70181a66533021d5fba89cf6cee8151e28830a

General

Target

06618db79b292fe5270cdf536e70181a66533021d5fba89cf6cee8151e28830a.dll
Size

940KB
MD5

4c744bdf154706d67cce0294ea1c301c
SHA1

177a8dd5df4aba873b8c29d2d2f52d7188204de0
SHA256

06618db79b292fe5270cdf536e70181a66533021d5fba89cf6cee8151e28830a
SHA512

76481e9906d7c8225a77e6d87622c9f79fe5bd3f44f22a04487747a15f2966f0cab259a94f7ed9cd08f05203bccff6d4001e143a6420910a8c96c879bb30e61a
SSDEEP

12288:wPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:wtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3412-4-0x00000000030A0000-0x00000000030A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2324-1-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3412-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3412-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/2324-38-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/2492-46-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/2492-50-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/3452-61-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3452-66-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/372-81-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

msdt.exesethc.exetabcal.exe

pid process

2492 msdt.exe
3452 sethc.exe
372 tabcal.exe
Loads dropped DLL 3 IoCs

Processes:

msdt.exesethc.exetabcal.exe

pid process

2492 msdt.exe
3452 sethc.exe
372 tabcal.exe

pid	process
2492	msdt.exe
3452	sethc.exe
372	tabcal.exe

pid	process
2492	msdt.exe
3452	sethc.exe
372	tabcal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsrvevdpr = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\Deployment\\iHl\\sethc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsdt.exesethc.exetabcal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3412 wrote to memory of 2000	3412	msdt.exe
PID 3412 wrote to memory of 2000	3412	msdt.exe
PID 3412 wrote to memory of 2492	3412	msdt.exe
PID 3412 wrote to memory of 2492	3412	msdt.exe
PID 3412 wrote to memory of 1888	3412	sethc.exe
PID 3412 wrote to memory of 1888	3412	sethc.exe
PID 3412 wrote to memory of 3452	3412	sethc.exe
PID 3412 wrote to memory of 3452	3412	sethc.exe
PID 3412 wrote to memory of 4528	3412	tabcal.exe
PID 3412 wrote to memory of 4528	3412	tabcal.exe
PID 3412 wrote to memory of 372	3412	tabcal.exe
PID 3412 wrote to memory of 372	3412	tabcal.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\06618db79b292fe5270cdf536e70181a66533021d5fba89cf6cee8151e28830a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:2000

C:\Users\Admin\AppData\Local\tx5zgO8\msdt.exe
C:\Users\Admin\AppData\Local\tx5zgO8\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2492

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1888

C:\Users\Admin\AppData\Local\nByD\sethc.exe
C:\Users\Admin\AppData\Local\nByD\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3452

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:4528

C:\Users\Admin\AppData\Local\vzbHfYJ\tabcal.exe
C:\Users\Admin\AppData\Local\vzbHfYJ\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\nByD\OLEACC.dll

Filesize
944KB

MD5
5ed06ab9403fb7063937a0488a99e314

SHA1
c86e7d0e8f98f710c6d50dba3ce3f8b85ca38b16

SHA256
8ae3d86a3d8914953215722c45bbc4af52d591e3a665a73ef9398a1a2fece9f6

SHA512
7ed1fee2d2776a1d09851bb3099fa1e0807a103051f7d1a421e975bf3ed3cbf5125f1007d7d719f4c6657354e6073f421f8a1dc66c97eb5c063b860970278ca0

Download Submit
C:\Users\Admin\AppData\Local\nByD\sethc.exe

Filesize
104KB

MD5
8ba3a9702a3f1799431cad6a290223a6

SHA1
9c7dc9b6830297c8f759d1f46c8b36664e26c031

SHA256
615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

SHA512
680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

Download Submit
C:\Users\Admin\AppData\Local\tx5zgO8\DUser.dll

Filesize
948KB

MD5
eca60aab891cc75f2912406f1246fd58

SHA1
30ad25ec0420033d717dc805e5a7cae0eede671c

SHA256
ce7c6ffc66f5be90ef01f6f7f5923b3e9d18f58830a09c9bddac4d55b1301654

SHA512
25f8aa22240d81ed7050d855ecdbff6944e302a9d46f9c37b74098c41d34637b7f4dbbf8bce35c95d6548f11b4514c7ee39083a61aff282b9edcd59116db372c

Download Submit
C:\Users\Admin\AppData\Local\tx5zgO8\msdt.exe

Filesize
421KB

MD5
992c3f0cc8180f2f51156671e027ae75

SHA1
942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

SHA256
6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

SHA512
1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

Download Submit
C:\Users\Admin\AppData\Local\vzbHfYJ\HID.DLL

Filesize
944KB

MD5
e988db23aae77bd66932b1e01a6fe051

SHA1
1e6df1094e23c111782809cd9719aba676d0b2df

SHA256
3fd5f3b0d9325b9eefcd29640a4221bc0fa7591f35baad37ee0ff753482218bb

SHA512
b78d706f5721a2fc7d94ddc4753d9ca44fcd252ac9afd109d449e8b037003c2fb333bf71fb25b6015109382cec0b0a8f813bd5881b84d228f1eeab7226f8624f

Download Submit
C:\Users\Admin\AppData\Local\vzbHfYJ\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk

Filesize
1KB

MD5
3b460f4ce18cb68680400eaf105fa796

SHA1
825d20c4147e3b00a01019d91a0cfc6338192aef

SHA256
d83b1eb22a10c8069ff49474aabeca16ed6f8ba48d56eb9ae7a4bed6186000bb

SHA512
e1fac4cf3a4ea74d2edda4df9b5576a527d1447d80fe2ee7a333a09f80461418e4ed00a37492b3c1b30b8094407fc4460df06c92490f29813e16064fc66e823e

Download Submit
memory/372-81-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2324-0-0x000002B5F7910000-0x000002B5F7917000-memory.dmp

Filesize
28KB

Download
memory/2324-38-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2324-1-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2492-50-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/2492-46-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/2492-45-0x000002F304300000-0x000002F304307000-memory.dmp

Filesize
28KB

Download
memory/3412-26-0x00007FF876C10000-0x00007FF876C20000-memory.dmp

Filesize
64KB

Download
memory/3412-25-0x00007FF876C20000-0x00007FF876C30000-memory.dmp

Filesize
64KB

Download
memory/3412-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-23-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/3412-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-4-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/3412-3-0x00007FF8759CA000-0x00007FF8759CB000-memory.dmp

Filesize
4KB

Download
memory/3412-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3412-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3452-66-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-61-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-63-0x0000022D90750000-0x0000022D90757000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads