dridex | 4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa

General

Target

4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa.dll
Size

692KB
MD5

e9531680b8f5142d44285991f2709e0a
SHA1

45d9e59a69ddade77a8f3b4f0edb6deb18e8d3b6
SHA256

4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa
SHA512

dbb8b8208e7f6ebf90a715963d9fdbfdb29c66ce079c9b805f116064e5ffbd334f5ef958279460ac3193a1610eca25d90f7e63c078b0e70369c2d0bef3262617
SSDEEP

12288:AqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:AqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1180-4-0x0000000002D50000-0x0000000002D51000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2416-0-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral1/memory/1180-22-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral1/memory/1180-35-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral1/memory/1180-34-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral1/memory/2416-42-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral1/memory/2748-52-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2748-56-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2296-73-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2936-88-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

msconfig.exeSndVol.exeicardagt.exe

pid process

2748 msconfig.exe
2296 SndVol.exe
2936 icardagt.exe
Loads dropped DLL 7 IoCs

Processes:

msconfig.exeSndVol.exeicardagt.exe

pid process

1180
2748 msconfig.exe
1180
2296 SndVol.exe
1180
2936 icardagt.exe
1180

pid	process
2748	msconfig.exe
2296	SndVol.exe
2936	icardagt.exe

pid	process
1180
2748	msconfig.exe
1180
2296	SndVol.exe
1180
2936	icardagt.exe
1180

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dnfwvyvycst = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\eIu\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msconfig.exeSndVol.exeicardagt.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2416	rundll32.exe
2416	rundll32.exe
2416	rundll32.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1180 wrote to memory of 2904	1180	msconfig.exe
PID 1180 wrote to memory of 2904	1180	msconfig.exe
PID 1180 wrote to memory of 2904	1180	msconfig.exe
PID 1180 wrote to memory of 2748	1180	msconfig.exe
PID 1180 wrote to memory of 2748	1180	msconfig.exe
PID 1180 wrote to memory of 2748	1180	msconfig.exe
PID 1180 wrote to memory of 2176	1180	SndVol.exe
PID 1180 wrote to memory of 2176	1180	SndVol.exe
PID 1180 wrote to memory of 2176	1180	SndVol.exe
PID 1180 wrote to memory of 2296	1180	SndVol.exe
PID 1180 wrote to memory of 2296	1180	SndVol.exe
PID 1180 wrote to memory of 2296	1180	SndVol.exe
PID 1180 wrote to memory of 2700	1180	icardagt.exe
PID 1180 wrote to memory of 2700	1180	icardagt.exe
PID 1180 wrote to memory of 2700	1180	icardagt.exe
PID 1180 wrote to memory of 2936	1180	icardagt.exe
PID 1180 wrote to memory of 2936	1180	icardagt.exe
PID 1180 wrote to memory of 2936	1180	icardagt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2904

C:\Users\Admin\AppData\Local\qno3ClS\msconfig.exe
C:\Users\Admin\AppData\Local\qno3ClS\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2748

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2176

C:\Users\Admin\AppData\Local\G2HP3\SndVol.exe
C:\Users\Admin\AppData\Local\G2HP3\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2296

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:2700

C:\Users\Admin\AppData\Local\HABzonCR\icardagt.exe
C:\Users\Admin\AppData\Local\HABzonCR\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\G2HP3\UxTheme.dll

Filesize
696KB

MD5
be528090560026b46bf97945c48e1d03

SHA1
56d48813dfe47739f6f23248cca1cf64e0723930

SHA256
f5768356ec95e6d328be230fb9d1b00aa450cd81ff4895b2ae2d39cc46f7b131

SHA512
adbc74661e398dcd41812a8dabe2191aadf1787f554aaf616f2894a264c04a4f9620cba52a2a4af096ebac2f3ad7a81aa89bb6f98cece794ea6aca80f4eb8626

Download Submit
C:\Users\Admin\AppData\Local\HABzonCR\VERSION.dll

Filesize
696KB

MD5
bcc02ac940f332995e9cb6363d817572

SHA1
5e69769d0577ffd4331f618b2c9b97ab99f86b51

SHA256
dd1c63de5a0de4f65a96a455d14607922ebeb3ce9d132647ba859c6c0013f655

SHA512
22a35e329a6a1be8e78b19e8034c98c589ea2b1fc718ef149c0eb9a1db07dd1c4e65e0a9dff20db386d914aa53212abcfdbdcae009ca4e85f4562eb6e508a26d

Download Submit
C:\Users\Admin\AppData\Local\HABzonCR\icardagt.exe

Filesize
1.3MB

MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
C:\Users\Admin\AppData\Local\qno3ClS\VERSION.dll

Filesize
696KB

MD5
2758521234dd8fe48ada74f1935d4d75

SHA1
3ab9a40ffdb3e38427d2147da610423a05bdc3bf

SHA256
26c32be18592dbfab06edb9ba7b181b5956a10299290a256690574fea2659052

SHA512
e879cd5099d386e304e1a2ff4ccae2f1c34a7cc82e73c3d8ffd4fdfd4ea2def1d69ebf5a666517c0099d7b84547040c5caecab58a8f97470fddff04dc341c081

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk

Filesize
1KB

MD5
d3f52805b2e807c33888e63d0bc79146

SHA1
890eeb648189a93bd8073289b5a8e4aac8aaf8c8

SHA256
ed1a51645613227ec39dfaef05424fff8cd66f9ee14551406d02ead02fd01dd0

SHA512
48c3a86a0fd40ff4d430b2c920545ea369e38ca35770d63ff73c61bae0b886ebddfa1527440cd420af2112609fe067cba1034ddbc73227d9e2005564922b3522

Download Submit
\Users\Admin\AppData\Local\G2HP3\SndVol.exe

Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\qno3ClS\msconfig.exe

Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
memory/1180-35-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-7-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-11-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-13-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-21-0x0000000002D30000-0x0000000002D37000-memory.dmp

Filesize
28KB

Download
memory/1180-12-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-22-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-24-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/1180-23-0x0000000077280000-0x0000000077282000-memory.dmp

Filesize
8KB

Download
memory/1180-3-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1180-34-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-4-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/1180-43-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1180-6-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-8-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-10-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/1180-9-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/2296-70-0x0000000000150000-0x0000000000157000-memory.dmp

Filesize
28KB

Download
memory/2296-73-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2416-42-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/2416-0-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/2416-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2748-56-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2748-52-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2748-51-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2936-88-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads