dridex | c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9

General

Target

c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9.dll
Size

696KB
MD5

631038be4bd53f745415c744e811f016
SHA1

bf6039ad50e15305c2983d6ee8ff6cf1cfeb8fec
SHA256

c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9
SHA512

5abcc343583f350ebff83996ffaea1faca0491f5a85e2a1b739263100899bb88ef5969dc180c4d7d91c248f0f20a45b7b9b6187462ea98d70284cb4dd6a88385
SSDEEP

12288:eqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:eqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1180-4-0x0000000002D50000-0x0000000002D51000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1632-0-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1180-23-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1180-35-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1180-34-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1632-43-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2656-53-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2656-57-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1972-74-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2940-90-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

BdeUISrv.exeSndVol.exeAdapterTroubleshooter.exe

pid process

2656 BdeUISrv.exe
1972 SndVol.exe
2940 AdapterTroubleshooter.exe
Loads dropped DLL 7 IoCs

Processes:

BdeUISrv.exeSndVol.exeAdapterTroubleshooter.exe

pid process

1180
2656 BdeUISrv.exe
1180
1972 SndVol.exe
1180
2940 AdapterTroubleshooter.exe
1180

pid	process
2656	BdeUISrv.exe
1972	SndVol.exe
2940	AdapterTroubleshooter.exe

pid	process
1180
2656	BdeUISrv.exe
1180
1972	SndVol.exe
1180
2940	AdapterTroubleshooter.exe
1180

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dnfwvyvycst = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\uVvaZ\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BdeUISrv.exeSndVol.exeAdapterTroubleshooter.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdapterTroubleshooter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeBdeUISrv.exe

pid	process
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
2656	BdeUISrv.exe
2656	BdeUISrv.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1180 wrote to memory of 2824	1180	BdeUISrv.exe
PID 1180 wrote to memory of 2824	1180	BdeUISrv.exe
PID 1180 wrote to memory of 2824	1180	BdeUISrv.exe
PID 1180 wrote to memory of 2656	1180	BdeUISrv.exe
PID 1180 wrote to memory of 2656	1180	BdeUISrv.exe
PID 1180 wrote to memory of 2656	1180	BdeUISrv.exe
PID 1180 wrote to memory of 2264	1180	SndVol.exe
PID 1180 wrote to memory of 2264	1180	SndVol.exe
PID 1180 wrote to memory of 2264	1180	SndVol.exe
PID 1180 wrote to memory of 1972	1180	SndVol.exe
PID 1180 wrote to memory of 1972	1180	SndVol.exe
PID 1180 wrote to memory of 1972	1180	SndVol.exe
PID 1180 wrote to memory of 2936	1180	AdapterTroubleshooter.exe
PID 1180 wrote to memory of 2936	1180	AdapterTroubleshooter.exe
PID 1180 wrote to memory of 2936	1180	AdapterTroubleshooter.exe
PID 1180 wrote to memory of 2940	1180	AdapterTroubleshooter.exe
PID 1180 wrote to memory of 2940	1180	AdapterTroubleshooter.exe
PID 1180 wrote to memory of 2940	1180	AdapterTroubleshooter.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2824

C:\Users\Admin\AppData\Local\cXZgxw80\BdeUISrv.exe
C:\Users\Admin\AppData\Local\cXZgxw80\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2264

C:\Users\Admin\AppData\Local\ExG\SndVol.exe
C:\Users\Admin\AppData\Local\ExG\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1972

C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
1⤵
PID:2936

C:\Users\Admin\AppData\Local\5TcO\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\5TcO\AdapterTroubleshooter.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5TcO\d3d9.dll

Filesize
700KB

MD5
6ff39e807917d75237bbec4d04c4735b

SHA1
0c9172df985b7abecb82e79fd85085a0556019f5

SHA256
d40b0ec6610732289e5dbc310ad1147b6464a5fd027baa88e75c144f8af94aac

SHA512
1823ae346084ceb5f1159339fc06e3439592b32aac61ff7068cbc868c388c5ce9369e2f91fe4538018f19aa6e2c47dfbd292fa12b6f3a681d9cb251a263a0878

Download Submit
C:\Users\Admin\AppData\Local\ExG\dwmapi.dll

Filesize
700KB

MD5
e5e5dfbdf06c428e5d669c902b385ecb

SHA1
a31a5f5950d4980b68db7a1e972aec3b1f67b2d5

SHA256
603e649b4ab7d5076cdca4819c1d1a3d4bca26dff612d758a20d1dd71845d331

SHA512
a0cf36dbb126114ee3328931fa4d554b7e007a8a4639c4cf90af7e023155676a8ff819ca20a22626cae75b8814abdae29fe0403002d938f67be19d6444b6e6dc

Download Submit
C:\Users\Admin\AppData\Local\cXZgxw80\BdeUISrv.exe

Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
C:\Users\Admin\AppData\Local\cXZgxw80\WTSAPI32.dll

Filesize
700KB

MD5
e7f3a8bc55ddf35b519edfb3cf0547ea

SHA1
8f7649d56c5f86f0ce13a4b6640408eebd693c34

SHA256
3ec0025f8f7118cd7263af1047395c22b79679b93594d0101696463b7acd22b2

SHA512
86d1ba97c80ab53386b9e0a4f446271e1e432f62b1aad3281b568a992fba90231671eac8f6c51246c6547adebb9e27bd03c72ff69a43b735e25318f55fd22af4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk

Filesize
1KB

MD5
5d265db588afa49f871e30fd71caed9e

SHA1
6247e28e6662b4c739de1a0870ac32715def4907

SHA256
6784d5f6aa77f875602790d7d3df376876402f4459a985b5d4909685dc9dab88

SHA512
3bb1600eada207ab892809c127835e3b6fb8482f3af76f6b325eb92b9ee8446d35a246244afd34cb38818155efec8c6c045d90eb69bcb6d2933b9311f1d681bb

Download Submit
\Users\Admin\AppData\Local\5TcO\AdapterTroubleshooter.exe

Filesize
39KB

MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
\Users\Admin\AppData\Local\ExG\SndVol.exe

Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
memory/1180-24-0x0000000077280000-0x0000000077282000-memory.dmp

Filesize
8KB

Download
memory/1180-44-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1180-10-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-9-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-8-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-11-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-23-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-25-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/1180-3-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1180-35-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-34-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-4-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/1180-12-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-13-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-22-0x0000000002D30000-0x0000000002D37000-memory.dmp

Filesize
28KB

Download
memory/1180-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1180-14-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1632-43-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1632-2-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1632-0-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1972-69-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1972-74-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2656-57-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2656-53-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2656-52-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2940-90-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads