dridex | c946e6a44ce5bcab9b3cf3445cf5d40c1b6e11dd0b3801d59c018c618be151a5

General

Target

c946e6a44ce5bcab9b3cf3445cf5d40c1b6e11dd0b3801d59c018c618be151a5.dll
Size

1.1MB
MD5

ad47ebe3d5bf4dc326457e5c3e8fa3fc
SHA1

47d7974b29f1603725a93cbc513044cf72c4a331
SHA256

c946e6a44ce5bcab9b3cf3445cf5d40c1b6e11dd0b3801d59c018c618be151a5
SHA512

6620fe7a1f4d762d8e5a92cb7b71490b56bd2814c50048ad72095dc9299eb7bfdfa78b2a2e647215086f45327398dd27d73a9168cd8a9a26ddcc7be44cc04fa6
SSDEEP

12288:SkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:SkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2112-0-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1188-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1188-37-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1188-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2112-44-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/3028-53-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/3028-58-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2000-70-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/2000-75-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/484-91-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

msra.execonsent.exemsconfig.exe

pid process

3028 msra.exe
2000 consent.exe
484 msconfig.exe
Loads dropped DLL 7 IoCs

Processes:

msra.execonsent.exemsconfig.exe

pid process

1188
3028 msra.exe
1188
2000 consent.exe
1188
484 msconfig.exe
1188

pid	process
3028	msra.exe
2000	consent.exe
484	msconfig.exe

pid	process
1188
3028	msra.exe
1188
2000	consent.exe
1188
484	msconfig.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\f9SgcUyiRpe\\consent.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsra.execonsent.exemsconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1188 wrote to memory of 2196	1188	msra.exe
PID 1188 wrote to memory of 2196	1188	msra.exe
PID 1188 wrote to memory of 2196	1188	msra.exe
PID 1188 wrote to memory of 3028	1188	msra.exe
PID 1188 wrote to memory of 3028	1188	msra.exe
PID 1188 wrote to memory of 3028	1188	msra.exe
PID 1188 wrote to memory of 1876	1188	consent.exe
PID 1188 wrote to memory of 1876	1188	consent.exe
PID 1188 wrote to memory of 1876	1188	consent.exe
PID 1188 wrote to memory of 2000	1188	consent.exe
PID 1188 wrote to memory of 2000	1188	consent.exe
PID 1188 wrote to memory of 2000	1188	consent.exe
PID 1188 wrote to memory of 760	1188	msconfig.exe
PID 1188 wrote to memory of 760	1188	msconfig.exe
PID 1188 wrote to memory of 760	1188	msconfig.exe
PID 1188 wrote to memory of 484	1188	msconfig.exe
PID 1188 wrote to memory of 484	1188	msconfig.exe
PID 1188 wrote to memory of 484	1188	msconfig.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c946e6a44ce5bcab9b3cf3445cf5d40c1b6e11dd0b3801d59c018c618be151a5.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:2196

C:\Users\Admin\AppData\Local\PSw7DzQ\msra.exe
C:\Users\Admin\AppData\Local\PSw7DzQ\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3028

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:1876

C:\Users\Admin\AppData\Local\FGB\consent.exe
C:\Users\Admin\AppData\Local\FGB\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2000

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:760

C:\Users\Admin\AppData\Local\EccrPbK\msconfig.exe
C:\Users\Admin\AppData\Local\EccrPbK\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EccrPbK\VERSION.dll

Filesize
1.1MB

MD5
ec3d34e0c382b6a21507db31f5ac742d

SHA1
de542590241558c999341115b89cdf7f4b3cfcfd

SHA256
348874bf21f08793a88ffe3574384777cb2016e0a8e2cbb088f36ddb3fd1dc8d

SHA512
907bde531cc3bee73eb0ad8b6f01b6aa4dd18bbee663b6f184f7df9abbbcd96e49b1e46616dc73f448059d9a8911789522efc70baf328d65f2519db97458ffff

Download Submit
C:\Users\Admin\AppData\Local\FGB\WINMM.dll

Filesize
1.1MB

MD5
9064dbb81ad88fc23787072861a856c8

SHA1
acc9d575180549ce585639a68e7247bea30e4f04

SHA256
db65ed7558a7eef6fd03b2cca0638e1573342bcddf1fa3e33632ff0004aa3d96

SHA512
23931bc4519926e69cd242c99d62bf259e081f24ecd4ef76d1e64a365ac0f6762e6af2a2d7513c77393036bed8e2939c906f892edf280270225ed5eb3b25696e

Download Submit
C:\Users\Admin\AppData\Local\FGB\consent.exe

Filesize
109KB

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
C:\Users\Admin\AppData\Local\PSw7DzQ\NDFAPI.DLL

Filesize
1.1MB

MD5
db7332afedaf88369cfedcee2ac9cc69

SHA1
8d1a02a077f0e1162579267cfb8295de88f6959a

SHA256
9464e3badbc6797955cb52b52a3fe7497c6edee281fe15592f902ef458626c6f

SHA512
df194e5b0ff5866b0be1600af9f83d5b969b42ffbfcf7b8b96aeaaaa4def42d749d40a436bddca0562718381641b93242c0689e159b3142339e932492d2abc89

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
886a785f6e363c9cc67813765065ad4b

SHA1
7f526661d8df6f19884afa60a008c16e35a5e575

SHA256
2b88717472b34dbb561d705afaf796df32abba48c6eac5a9289d29a089bb4b72

SHA512
c00e2e9d1f3fd40f7c2f5674bf0ee17339b7bd5e45771a16cf06555133542b3cdb67239fe5c5d64899ffe6f65f7981b53b737e01682a2f4b2f4e0984943ac25f

Download Submit
\Users\Admin\AppData\Local\EccrPbK\msconfig.exe

Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\PSw7DzQ\msra.exe

Filesize
636KB

MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
memory/484-91-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1188-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-45-0x0000000077A56000-0x0000000077A57000-memory.dmp

Filesize
4KB

Download
memory/1188-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-23-0x00000000025E0000-0x00000000025E7000-memory.dmp

Filesize
28KB

Download
memory/1188-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-26-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

Filesize
8KB

Download
memory/1188-25-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

Filesize
8KB

Download
memory/1188-37-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-3-0x0000000077A56000-0x0000000077A57000-memory.dmp

Filesize
4KB

Download
memory/1188-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1188-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1188-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2000-70-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2000-72-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2000-75-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2112-2-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/2112-44-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2112-0-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3028-58-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3028-53-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3028-55-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads