dridex | 67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579

General

Target

67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579.dll
Size

1.1MB
MD5

edb00c9b061bf3a926d1b0c3274f556a
SHA1

b87a8d763f02967934771530826d716998a7bc8a
SHA256

67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579
SHA512

e0997a744143db3b611519aac784ecec3cab29600f3cd16ec243450333d445698c9b0dcdd1e43fd89bab898d26e65fcf45b3bb6b81d9e13ae4cbf033e15f2a8a
SSDEEP

12288:WkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:WkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2448-0-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1192-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1192-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1192-36-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2448-44-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2572-53-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2572-57-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2908-73-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/264-85-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/264-89-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

tabcal.exemsdt.exetcmsetup.exe

pid process

2572 tabcal.exe
2908 msdt.exe
264 tcmsetup.exe
Loads dropped DLL 7 IoCs

Processes:

tabcal.exemsdt.exetcmsetup.exe

pid process

1192
2572 tabcal.exe
1192
2908 msdt.exe
1192
264 tcmsetup.exe
1192

pid	process
2572	tabcal.exe
2908	msdt.exe
264	tcmsetup.exe

pid	process
1192
2572	tabcal.exe
1192
2908	msdt.exe
1192
264	tcmsetup.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wqbazsgxtjodx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\mGLlk\\msdt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdt.exetcmsetup.exerundll32.exetabcal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2448	rundll32.exe
2448	rundll32.exe
2448	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 2536	1192	tabcal.exe
PID 1192 wrote to memory of 2536	1192	tabcal.exe
PID 1192 wrote to memory of 2536	1192	tabcal.exe
PID 1192 wrote to memory of 2572	1192	tabcal.exe
PID 1192 wrote to memory of 2572	1192	tabcal.exe
PID 1192 wrote to memory of 2572	1192	tabcal.exe
PID 1192 wrote to memory of 1096	1192	msdt.exe
PID 1192 wrote to memory of 1096	1192	msdt.exe
PID 1192 wrote to memory of 1096	1192	msdt.exe
PID 1192 wrote to memory of 2908	1192	msdt.exe
PID 1192 wrote to memory of 2908	1192	msdt.exe
PID 1192 wrote to memory of 2908	1192	msdt.exe
PID 1192 wrote to memory of 1496	1192	tcmsetup.exe
PID 1192 wrote to memory of 1496	1192	tcmsetup.exe
PID 1192 wrote to memory of 1496	1192	tcmsetup.exe
PID 1192 wrote to memory of 264	1192	tcmsetup.exe
PID 1192 wrote to memory of 264	1192	tcmsetup.exe
PID 1192 wrote to memory of 264	1192	tcmsetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2536

C:\Users\Admin\AppData\Local\gpNse8E1u\tabcal.exe
C:\Users\Admin\AppData\Local\gpNse8E1u\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2572

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:1096

C:\Users\Admin\AppData\Local\sA3KCC\msdt.exe
C:\Users\Admin\AppData\Local\sA3KCC\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2908

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:1496

C:\Users\Admin\AppData\Local\EdsfecW\tcmsetup.exe
C:\Users\Admin\AppData\Local\EdsfecW\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EdsfecW\TAPI32.dll

Filesize
1.1MB

MD5
f0dbe9b29ba7c9741c93b380072d13d0

SHA1
f8f6c59414874c01ac8431fc46685c9bbf116ba8

SHA256
47d33220454ccc697a0332342cba40bc1dbd7758eeef6e140e4d43e0f4e9f606

SHA512
d86dafc2492d3d8a956f0449df196f78119bb3af9645ac2377ff3bec3fe935f1f6bbea9924eff9305c406d5fb8dddd82a88b6e4ef1351d65a150f1c2319b54aa

Download Submit
C:\Users\Admin\AppData\Local\gpNse8E1u\HID.DLL

Filesize
1.1MB

MD5
38c55e731bdc8ef30acf9cd9f70ca4a1

SHA1
ccf383f8cbde1fc1eac87b775837f3c053341334

SHA256
8e5c7b85c3f7e17853e40099934840be4b2e534a63ca1052d3949f84ca11a44d

SHA512
dd06a474a093ffda8359d9ae5c9d96964595bdcf11ffbb03f390edee2dba7cb6efdc69140124ee29d3ef3753cd7b026da9523ad9510a9d0d21aab730b2c806d1

Download Submit
C:\Users\Admin\AppData\Local\sA3KCC\msdt.exe

Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk

Filesize
1KB

MD5
29fce54ff8438520513c53058bede565

SHA1
dd5c71e5c0c176138907429feb007e4f87ec5c3a

SHA256
2d1b891c5cc3b8df7b9285f25dbd0732c9799d841971d5a946edcf9e44c0d577

SHA512
e5cf930bcdc867b0462f46727d2b452999e60d2d95174a4f05569a2ba2acb90130916d117b7e689930365bd4d4d41b9e5a7af004b32ee619dd4276433579ced1

Download Submit
\Users\Admin\AppData\Local\EdsfecW\tcmsetup.exe

Filesize
15KB

MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Local\gpNse8E1u\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\sA3KCC\DUser.dll

Filesize
1.1MB

MD5
cbd089792401186bc5642c358109f15a

SHA1
6773ef74e31284c4b0d51e96b1d730d776b3e4f0

SHA256
ab7b6e1190e345c2a1dcf51bffcb62617fad2ea0f5a45262f2146fe36bdb5ec2

SHA512
7791ee4886bc59df05cc09367d56fcfcf84c989c78f38c7845d1a27cc602b2273c69da93fea6d48a390284067f3b1869e6e7c3a39e446d92cc350034ec6027ef

Download Submit
memory/264-89-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/264-85-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/1192-25-0x0000000077CE0000-0x0000000077CE2000-memory.dmp

Filesize
8KB

Download
memory/1192-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-26-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/1192-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-36-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-3-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/1192-45-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/1192-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1192-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1192-23-0x0000000002B80000-0x0000000002B87000-memory.dmp

Filesize
28KB

Download
memory/2448-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2448-44-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2448-0-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2572-57-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2572-53-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2908-73-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2908-69-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads