dridex | a3c82a5d0423dd286da22159254ce44db5fadc717abfe58240ab7bbf1acfd252

General

Target

a3c82a5d0423dd286da22159254ce44db5fadc717abfe58240ab7bbf1acfd252.dll
Size

936KB
MD5

03b5687f88d38e7633c38da183cf2136
SHA1

bc436ad961d5695942a16cdaf5537557303ed395
SHA256

a3c82a5d0423dd286da22159254ce44db5fadc717abfe58240ab7bbf1acfd252
SHA512

cbea474e44f0c9cff8cf9d4cc1dfcc3578bb49030668fbd0f5fdcc01cf110cb5582a833a2abeae39b17ea2366d6d2706231bfcae56c7c1db0da11039c528ec68
SSDEEP

12288:LPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:LtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1144-4-0x0000000002D60000-0x0000000002D61000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/276-0-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral1/memory/1144-23-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral1/memory/1144-35-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral1/memory/1144-34-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral1/memory/276-43-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral1/memory/2920-53-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2920-57-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2592-74-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/324-90-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

Netplwiz.exeSndVol.exesdclt.exe

pid process

2920 Netplwiz.exe
2592 SndVol.exe
324 sdclt.exe
Loads dropped DLL 7 IoCs

Processes:

Netplwiz.exeSndVol.exesdclt.exe

pid process

1144
2920 Netplwiz.exe
1144
2592 SndVol.exe
1144
324 sdclt.exe
1144

pid	process
2920	Netplwiz.exe
2592	SndVol.exe
324	sdclt.exe

pid	process
1144
2920	Netplwiz.exe
1144
2592	SndVol.exe
1144
324	sdclt.exe
1144

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\0R\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeNetplwiz.exeSndVol.exesdclt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeNetplwiz.exe

pid	process
276	rundll32.exe
276	rundll32.exe
276	rundll32.exe
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
2920	Netplwiz.exe
2920	Netplwiz.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1144 wrote to memory of 2776	1144	Netplwiz.exe
PID 1144 wrote to memory of 2776	1144	Netplwiz.exe
PID 1144 wrote to memory of 2776	1144	Netplwiz.exe
PID 1144 wrote to memory of 2920	1144	Netplwiz.exe
PID 1144 wrote to memory of 2920	1144	Netplwiz.exe
PID 1144 wrote to memory of 2920	1144	Netplwiz.exe
PID 1144 wrote to memory of 2556	1144	SndVol.exe
PID 1144 wrote to memory of 2556	1144	SndVol.exe
PID 1144 wrote to memory of 2556	1144	SndVol.exe
PID 1144 wrote to memory of 2592	1144	SndVol.exe
PID 1144 wrote to memory of 2592	1144	SndVol.exe
PID 1144 wrote to memory of 2592	1144	SndVol.exe
PID 1144 wrote to memory of 1952	1144	sdclt.exe
PID 1144 wrote to memory of 1952	1144	sdclt.exe
PID 1144 wrote to memory of 1952	1144	sdclt.exe
PID 1144 wrote to memory of 324	1144	sdclt.exe
PID 1144 wrote to memory of 324	1144	sdclt.exe
PID 1144 wrote to memory of 324	1144	sdclt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3c82a5d0423dd286da22159254ce44db5fadc717abfe58240ab7bbf1acfd252.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:276

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2776

C:\Users\Admin\AppData\Local\sEiL0vIr\Netplwiz.exe
C:\Users\Admin\AppData\Local\sEiL0vIr\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2556

C:\Users\Admin\AppData\Local\gdJGcm\SndVol.exe
C:\Users\Admin\AppData\Local\gdJGcm\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:1952

C:\Users\Admin\AppData\Local\dAc5\sdclt.exe
C:\Users\Admin\AppData\Local\dAc5\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dAc5\UxTheme.dll

Filesize
940KB

MD5
34cdc166e2c268a6584afcffbc87befc

SHA1
863c1bfbee19161e3301d8d04e3f0f652fce48e9

SHA256
25bce3d3b591a1ed76aa8cc40da7efbf44c196245b02e4c83a7d84a8d8b2af32

SHA512
184c083d0e49a56c56eac46febf4491607a5a291c9de1738c1ac0b90f29c9fc3dc546354a4ff02348da54aa96beee7731341c64ee6f5e6fb33a2431c3f8d7092

Download Submit
C:\Users\Admin\AppData\Local\gdJGcm\dwmapi.dll

Filesize
940KB

MD5
5ea2eb1639cd57c1d00a70162d1e5b46

SHA1
808c5076a113e2de5ec5381700d29efd3512bb87

SHA256
8ab93b9730622af5a769af547b1d8b41cdfb5ad66f7ee7df41ccefcf76083e2e

SHA512
f272be42b8dac08d5fdf4ef5dcd519d82fe27b96bd3310f5e160a8dc683a9cc469068da03611d52c1c5823b3c22363610cc06c8a5d7ca3de7b29f7fda2a56a7b

Download Submit
C:\Users\Admin\AppData\Local\sEiL0vIr\NETPLWIZ.dll

Filesize
940KB

MD5
830247af9fb1a3778768d5a175488868

SHA1
364884bea94f95d497071c17a2d758f52533d96f

SHA256
636445927f6ee3851b1211e468ab6258c6b1b3a1fe5015d7de3d0ed926280c39

SHA512
ab4ca8a6b93ccdfdcb7effa573e30bac73457b49b933fdd51052bbe987f41e94fbe76113dacf7ac3bed0bebe33c7dbe6f818319cb4353854e003798888598d30

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
96d8629293da312c664b0265fe6496f3

SHA1
935c5a586c6ff5c8ab3d5c297285ab2013d1c4b3

SHA256
15a11748a2083f32107e8e4bc6dd059ef0fd45b7e65dba62d00832a54473846c

SHA512
e3400517d1763720d92a535e8179306e9e7af3bfcb5e749ce072771a39c6276b64f5812f166d70caaba9c4941d2027f30404aa62e6d32269669d18aa311bf292

Download Submit
\Users\Admin\AppData\Local\dAc5\sdclt.exe

Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Local\gdJGcm\SndVol.exe

Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\sEiL0vIr\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
memory/276-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/276-0-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/276-43-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/324-90-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1144-24-0x0000000077A70000-0x0000000077A72000-memory.dmp

Filesize
8KB

Download
memory/1144-13-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-23-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-7-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-25-0x0000000077AA0000-0x0000000077AA2000-memory.dmp

Filesize
8KB

Download
memory/1144-10-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-35-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-34-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-11-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-44-0x0000000077706000-0x0000000077707000-memory.dmp

Filesize
4KB

Download
memory/1144-12-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-8-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-3-0x0000000077706000-0x0000000077707000-memory.dmp

Filesize
4KB

Download
memory/1144-4-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/1144-6-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-14-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1144-22-0x0000000002D40000-0x0000000002D47000-memory.dmp

Filesize
28KB

Download
memory/1144-9-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/2592-74-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2592-69-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2920-57-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2920-53-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2920-52-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads