dridex | a92fd3d497c33998e89add2b0ad92845790a39a07380299eaa7eff993d60b371

General

Target

a92fd3d497c33998e89add2b0ad92845790a39a07380299eaa7eff993d60b371.dll
Size

1.1MB
MD5

220299c4d18b28c5c9adce9e905d9b77
SHA1

70b93b7c82770bc3a4fd2eb66edaf1b3d3443acb
SHA256

a92fd3d497c33998e89add2b0ad92845790a39a07380299eaa7eff993d60b371
SHA512

f3dd0898c251b7ff3505de8bba714a6f68983c813e42d774eca0e6e8220be9263353faac311fb2d2f19442be394ec867c86c664832dcea513f0dc6ba5eb58bef
SSDEEP

12288:ckMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:ckMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1396-4-0x00000000024D0000-0x00000000024D1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2296-0-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1396-23-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1396-34-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1396-35-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/2296-43-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1852-53-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1852-57-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1428-74-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1944-90-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

tabcal.exesdclt.exeSoundRecorder.exe

pid process

1852 tabcal.exe
1428 sdclt.exe
1944 SoundRecorder.exe
Loads dropped DLL 7 IoCs

Processes:

tabcal.exesdclt.exeSoundRecorder.exe

pid process

1396
1852 tabcal.exe
1396
1428 sdclt.exe
1396
1944 SoundRecorder.exe
1396

pid	process
1852	tabcal.exe
1428	sdclt.exe
1944	SoundRecorder.exe

pid	process
1396
1852	tabcal.exe
1396
1428	sdclt.exe
1396
1944	SoundRecorder.exe
1396

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\xTFTB\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exetabcal.exesdclt.exeSoundRecorder.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2296	rundll32.exe
2296	rundll32.exe
2296	rundll32.exe
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1396 wrote to memory of 3032	1396	tabcal.exe
PID 1396 wrote to memory of 3032	1396	tabcal.exe
PID 1396 wrote to memory of 3032	1396	tabcal.exe
PID 1396 wrote to memory of 1852	1396	tabcal.exe
PID 1396 wrote to memory of 1852	1396	tabcal.exe
PID 1396 wrote to memory of 1852	1396	tabcal.exe
PID 1396 wrote to memory of 2384	1396	sdclt.exe
PID 1396 wrote to memory of 2384	1396	sdclt.exe
PID 1396 wrote to memory of 2384	1396	sdclt.exe
PID 1396 wrote to memory of 1428	1396	sdclt.exe
PID 1396 wrote to memory of 1428	1396	sdclt.exe
PID 1396 wrote to memory of 1428	1396	sdclt.exe
PID 1396 wrote to memory of 2420	1396	SoundRecorder.exe
PID 1396 wrote to memory of 2420	1396	SoundRecorder.exe
PID 1396 wrote to memory of 2420	1396	SoundRecorder.exe
PID 1396 wrote to memory of 1944	1396	SoundRecorder.exe
PID 1396 wrote to memory of 1944	1396	SoundRecorder.exe
PID 1396 wrote to memory of 1944	1396	SoundRecorder.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a92fd3d497c33998e89add2b0ad92845790a39a07380299eaa7eff993d60b371.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:3032

C:\Users\Admin\AppData\Local\g62wA8j\tabcal.exe
C:\Users\Admin\AppData\Local\g62wA8j\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1852

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2384

C:\Users\Admin\AppData\Local\2EVH\sdclt.exe
C:\Users\Admin\AppData\Local\2EVH\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1428

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2420

C:\Users\Admin\AppData\Local\bOiPh\SoundRecorder.exe
C:\Users\Admin\AppData\Local\bOiPh\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2EVH\Secur32.dll

Filesize
1.1MB

MD5
1bd36d3ca1974e8eff4e0f63abaaf0d2

SHA1
38682936448bedd06e7800e295ff576334dda2a6

SHA256
c19fe49f712888de6de1a586346209b2c2945b8c2f70e0a108bb9b553b12c9a1

SHA512
eb635e2bc011c7d92d40e771f64957756638f5002c0d4e8a2fd18f8cdd9e2a0b6188b31d6e7fa83744d64eda3df6cfd75afbdba129bb15aaef6757fb9cc308fc

Download Submit
C:\Users\Admin\AppData\Local\bOiPh\UxTheme.dll

Filesize
1.1MB

MD5
df19796acf728fc085de77bf441fb0ba

SHA1
3b107415c35f2663c2310012591f9e7789add363

SHA256
f54632401c1cfd14ee48fa6b0c9977b6d36f8f8b0b38f358808b769fac660b60

SHA512
d617db7003e0ae47f39dd80cf94345b6a39eb0ed5cdf4a20df377c411a7700c55bb26b4895ac915670da740570b3eaddcad0c8bdea813581440971d391f81f4a

Download Submit
C:\Users\Admin\AppData\Local\g62wA8j\HID.DLL

Filesize
1.1MB

MD5
4fa098c7fb57f10cc782eb1d97595a85

SHA1
c9e31f6abb2339070accb7f16c76094e1e407493

SHA256
bb54e55a0555d0dde27022d95525e228bd10e84af60978ea4ef895a88554191f

SHA512
52313c323797eb288c00451110c473ae94e80c63c5830f115f047fe633ebe5e390ce4ae03d7841b90bf22b4ce2e9ac1502ad6c21b31c9fda43475014626cfa53

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1KB

MD5
8c464ced1b5963ba993399964b4a9b26

SHA1
0c73441414446fb60e2a2428e606a31aab17ca9b

SHA256
c0d767c43b7eaba2f928e10395ae4870c39514d1211ac43e2a8a95fb149c1bd3

SHA512
ded4d46c3aaf05703bdfc4b91d378b7e16963993939d36d8328b0e577e4c3fe4d3c78c836928544283927f47f7b960875e03a4a25744a41200b257674dc5fa4a

Download Submit
\Users\Admin\AppData\Local\2EVH\sdclt.exe

Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Local\bOiPh\SoundRecorder.exe

Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
\Users\Admin\AppData\Local\g62wA8j\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
memory/1396-24-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/1396-44-0x0000000076EA6000-0x0000000076EA7000-memory.dmp

Filesize
4KB

Download
memory/1396-10-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-9-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-8-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-7-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-6-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-23-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-25-0x0000000077140000-0x0000000077142000-memory.dmp

Filesize
8KB

Download
memory/1396-3-0x0000000076EA6000-0x0000000076EA7000-memory.dmp

Filesize
4KB

Download
memory/1396-34-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-35-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-4-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1396-11-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-12-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-15-0x00000000024B0000-0x00000000024B7000-memory.dmp

Filesize
28KB

Download
memory/1396-13-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-14-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1428-69-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1428-74-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1852-57-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1852-53-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1852-52-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1944-90-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2296-43-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2296-1-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2296-0-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads