dridex | 5c75ed616297014a3a602a2dd07ed166a38118dd5288db2998b6ed9d4af46971

General

Target

5c75ed616297014a3a602a2dd07ed166a38118dd5288db2998b6ed9d4af46971.dll
Size

696KB
MD5

9ddd4fc0449313c0f8928c861e82d59a
SHA1

6ac9b2389831ccb8ee2225ab00b4e7a57c60f144
SHA256

5c75ed616297014a3a602a2dd07ed166a38118dd5288db2998b6ed9d4af46971
SHA512

84be854fad826486d5d39f445b603059d48ecc22be0692607c7747fa45c6ccfa9775854b069ddc72df52241aaec23c8254c63f408f26ada2d3c3fb030bcbc558
SSDEEP

12288:+qJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baedi1:+qGBHTxvt+g2gYedi1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-4-0x0000000002D10000-0x0000000002D11000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2356-0-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1256-23-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1256-34-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1256-36-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2356-43-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2840-52-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2840-57-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2620-74-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2756-90-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SoundRecorder.exeSystemPropertiesComputerName.exemsdt.exe

pid process

2840 SoundRecorder.exe
2620 SystemPropertiesComputerName.exe
2756 msdt.exe
Loads dropped DLL 7 IoCs

Processes:

SoundRecorder.exeSystemPropertiesComputerName.exemsdt.exe

pid process

1256
2840 SoundRecorder.exe
1256
2620 SystemPropertiesComputerName.exe
1256
2756 msdt.exe
1256

pid	process
2840	SoundRecorder.exe
2620	SystemPropertiesComputerName.exe
2756	msdt.exe

pid	process
1256
2840	SoundRecorder.exe
1256
2620	SystemPropertiesComputerName.exe
1256
2756	msdt.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\77OqRf\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSoundRecorder.exeSystemPropertiesComputerName.exemsdt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSoundRecorder.exe

pid	process
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
2840	SoundRecorder.exe
2840	SoundRecorder.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 2764	1256	SoundRecorder.exe
PID 1256 wrote to memory of 2764	1256	SoundRecorder.exe
PID 1256 wrote to memory of 2764	1256	SoundRecorder.exe
PID 1256 wrote to memory of 2840	1256	SoundRecorder.exe
PID 1256 wrote to memory of 2840	1256	SoundRecorder.exe
PID 1256 wrote to memory of 2840	1256	SoundRecorder.exe
PID 1256 wrote to memory of 2572	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 2572	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 2572	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 2620	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 2620	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 2620	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 1212	1256	msdt.exe
PID 1256 wrote to memory of 1212	1256	msdt.exe
PID 1256 wrote to memory of 1212	1256	msdt.exe
PID 1256 wrote to memory of 2756	1256	msdt.exe
PID 1256 wrote to memory of 2756	1256	msdt.exe
PID 1256 wrote to memory of 2756	1256	msdt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c75ed616297014a3a602a2dd07ed166a38118dd5288db2998b6ed9d4af46971.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\eP3\SoundRecorder.exe
C:\Users\Admin\AppData\Local\eP3\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2840

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2572

C:\Users\Admin\AppData\Local\AZJxvmrX\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\AZJxvmrX\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:1212

C:\Users\Admin\AppData\Local\UUJaiyIHs\msdt.exe
C:\Users\Admin\AppData\Local\UUJaiyIHs\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AZJxvmrX\SYSDM.CPL

Filesize
700KB

MD5
8b4700746aa67407098ad183c11f9c7e

SHA1
246e9aa6de02095185652bc7302f1367234557ae

SHA256
a706acb48100f4dc43e5a35ae8482b84ba45b413650dca78320263684d618d1a

SHA512
44785b1b988ef6e7071f31967b92c4e4816ffb89616b81c277bccd014a0e704be011e46226fde8df0efffb5e93790734d0b6347b5b8537ba96de0215895e706c

Download Submit
C:\Users\Admin\AppData\Local\UUJaiyIHs\Secur32.dll

Filesize
700KB

MD5
79396f0c9f7b25adf098772a9ed8bb40

SHA1
8841f6b1cfe07190f18e67e5352f315136fadc42

SHA256
18031b0678661d138943f983eed09f6abcb02bcdf8c2f54a1a20645555607cd9

SHA512
d3f7193bd8d13647aba7839d2f9d07f29ed6191c57c96a67bea3e5e4e1a9a50954672d073a3ca8864554a6da6ded38d0be21f8b639658886bda175117f77e611

Download Submit
C:\Users\Admin\AppData\Local\eP3\UxTheme.dll

Filesize
700KB

MD5
83031fba962df0be9cc3e7f98edd5e9e

SHA1
5dd05328f22e195f8a7f1e31d26b6e217d9950df

SHA256
b5524af1c987688064c59159efac9b6fe17a55766824e3c516a2a013054e292d

SHA512
37a6c09ca7aba681e9f9f7ab684e8c5bec0b40bc2a45f8aed65d1cd76908e3869a656c9675b329684662587e310af43e87d0e1e04102ff06529628855271a379

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
fa8bb8a1bf299cbf647b7c68939c1d29

SHA1
23e40288fe596e59307ca3fcddcd76874cd4e28e

SHA256
da93efceb3b5a676e7fd7261236460ce6d16d51274fa1ae2f983407d6e1602f6

SHA512
7131257559324a66fb9f4ad0a223e5164f2ff62fd41267110f374d0a92d7c561be2282ada30f38f681a25133be2fc640bd2a50cdaae7b467b25be85d58485bb3

Download Submit
\Users\Admin\AppData\Local\AZJxvmrX\SystemPropertiesComputerName.exe

Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\UUJaiyIHs\msdt.exe

Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\eP3\SoundRecorder.exe

Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
memory/1256-25-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/1256-44-0x0000000077576000-0x0000000077577000-memory.dmp

Filesize
4KB

Download
memory/1256-13-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-9-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-8-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-23-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-24-0x00000000777E0000-0x00000000777E2000-memory.dmp

Filesize
8KB

Download
memory/1256-3-0x0000000077576000-0x0000000077577000-memory.dmp

Filesize
4KB

Download
memory/1256-34-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-36-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-4-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1256-10-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-11-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-22-0x0000000002180000-0x0000000002187000-memory.dmp

Filesize
28KB

Download
memory/1256-12-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1256-14-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2356-43-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2356-0-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2356-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2620-71-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2620-74-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2756-90-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2840-57-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2840-52-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2840-54-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads