dridex | 4b9e28d775612f9c757d7f7daef0c07823e6764a5f6716a0b9d5e8ae21850d8f

General

Target

4b9e28d775612f9c757d7f7daef0c07823e6764a5f6716a0b9d5e8ae21850d8f.dll
Size

968KB
MD5

5453dd8223f092553390e303d02d3160
SHA1

db579b41e2b925e52a32d67c44d5efadcdb52c91
SHA256

4b9e28d775612f9c757d7f7daef0c07823e6764a5f6716a0b9d5e8ae21850d8f
SHA512

9b3f0cca2e9b8d1af6b86a232606a57a44480f08ecb5854539f517a56d229a7b3a227cf7415caee70f040ee79cdea6cce0139ec99776664785966467199ca82d
SSDEEP

12288:NqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4BaedthD:NqGBHTxvt+g2gYedth

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3560-3-0x0000000002E20000-0x0000000002E21000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2360-0-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral2/memory/3560-22-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral2/memory/3560-33-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral2/memory/2360-36-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral2/memory/636-44-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload
behavioral2/memory/636-48-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload
behavioral2/memory/2584-64-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload
behavioral2/memory/3520-75-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/3520-79-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

LockScreenContentServer.exeRdpSaUacHelper.exeMusNotifyIcon.exe

pid process

636 LockScreenContentServer.exe
2584 RdpSaUacHelper.exe
3520 MusNotifyIcon.exe
Loads dropped DLL 3 IoCs

Processes:

LockScreenContentServer.exeRdpSaUacHelper.exeMusNotifyIcon.exe

pid process

636 LockScreenContentServer.exe
2584 RdpSaUacHelper.exe
3520 MusNotifyIcon.exe

pid	process
636	LockScreenContentServer.exe
2584	RdpSaUacHelper.exe
3520	MusNotifyIcon.exe

pid	process
636	LockScreenContentServer.exe
2584	RdpSaUacHelper.exe
3520	MusNotifyIcon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzvdnevrdk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\VMu\\RdpSaUacHelper.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeLockScreenContentServer.exeRdpSaUacHelper.exeMusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSaUacHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560
3560

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3560
Token: SeCreatePagefilePrivilege	3560
Token: SeShutdownPrivilege	3560
Token: SeCreatePagefilePrivilege	3560
Token: SeShutdownPrivilege	3560
Token: SeCreatePagefilePrivilege	3560
Token: SeShutdownPrivilege	3560
Token: SeCreatePagefilePrivilege	3560
Token: SeShutdownPrivilege	3560
Token: SeCreatePagefilePrivilege	3560
Token: SeShutdownPrivilege	3560
Token: SeCreatePagefilePrivilege	3560

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3560

pid	process
3560

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3560 wrote to memory of 4420	3560	LockScreenContentServer.exe
PID 3560 wrote to memory of 4420	3560	LockScreenContentServer.exe
PID 3560 wrote to memory of 636	3560	LockScreenContentServer.exe
PID 3560 wrote to memory of 636	3560	LockScreenContentServer.exe
PID 3560 wrote to memory of 4048	3560	RdpSaUacHelper.exe
PID 3560 wrote to memory of 4048	3560	RdpSaUacHelper.exe
PID 3560 wrote to memory of 2584	3560	RdpSaUacHelper.exe
PID 3560 wrote to memory of 2584	3560	RdpSaUacHelper.exe
PID 3560 wrote to memory of 4760	3560	MusNotifyIcon.exe
PID 3560 wrote to memory of 4760	3560	MusNotifyIcon.exe
PID 3560 wrote to memory of 3520	3560	MusNotifyIcon.exe
PID 3560 wrote to memory of 3520	3560	MusNotifyIcon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b9e28d775612f9c757d7f7daef0c07823e6764a5f6716a0b9d5e8ae21850d8f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:4420

C:\Users\Admin\AppData\Local\PWat\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\PWat\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:636

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:4048

C:\Users\Admin\AppData\Local\16h1DVj\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\16h1DVj\RdpSaUacHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2584

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:4760

C:\Users\Admin\AppData\Local\ipG2T\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\ipG2T\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\16h1DVj\RdpSaUacHelper.exe

Filesize
33KB

MD5
0d5b016ac7e7b6257c069e8bb40845de

SHA1
5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

SHA256
6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

SHA512
cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

Download Submit
C:\Users\Admin\AppData\Local\16h1DVj\WINSTA.dll

Filesize
976KB

MD5
066c95e88153a1ce71ce815c78f926ea

SHA1
6cdf6c8c9bf6c43c7cab74941546f9127e34864a

SHA256
20937508fcbb1dd49b627bcdb3372cb560031b25952241781469699978fbfd99

SHA512
06f5ed6c6e4c4f36d635e6429f1a9d86dd80c73974745ff6557f879cfcbf5ee591c0c7aff24dd6ff6f1d276a064b99aed105b64fe573f9310b02db044afb6bb4

Download Submit
C:\Users\Admin\AppData\Local\PWat\DUser.dll

Filesize
976KB

MD5
df2bb14051623ad7b710b7f10b0dec02

SHA1
7aa6553edd066bb98ce78d394adafee61096e865

SHA256
9595bb052e3b8e6b34d01975c7ebd0e717f811bcb89451d79a04b75098a01446

SHA512
60db63f32fa015cf24c9708aba8660313591f70466dad5427080a24c195fb2cd0383c1453c63d7b4ab6aedfcadc920f638cd291bf187e78fd6bfab2b18ba4b11

Download Submit
C:\Users\Admin\AppData\Local\PWat\LockScreenContentServer.exe

Filesize
47KB

MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Local\ipG2T\MusNotifyIcon.exe

Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\ipG2T\XmlLite.dll

Filesize
972KB

MD5
ec2cf7ed6f28ce3698c08ee7d6a0c101

SHA1
ffc35386095eb1049ceb7562bdf16b19d6b9af05

SHA256
1bb243b56687ae13572107451c68de0cffc4d4075d6f90086b9abe6f4944737b

SHA512
1ecf867d8dbac80a9730aabc7077f130da7ed578503dbc1c7d92100420fcf671a5273242f240a8fe4c1cfae4776ab5594f1d7e2c64e5809ee116dfa256dd969b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk

Filesize
1KB

MD5
8f679cef69d5f992686b2e1e0809f8da

SHA1
f2a7602055c56d1bfcf561a5306f868635769ab8

SHA256
5134a0af1adbd9eadc3a50817fcdd2e005566bf19078f8d2bd12773baa014c86

SHA512
a58b5ef02d9dac8ac6d509e661a88e49e927142557d083c0b6479ba7edbccac529f5f2d2543209b10764c3d891c093cc3ad97cc51f048b1b4f434627e61e28ec

Download Submit
memory/636-43-0x000001E05B160000-0x000001E05B167000-memory.dmp

Filesize
28KB

Download
memory/636-44-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/636-48-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/2360-0-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/2360-36-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/2360-2-0x0000022BA1270000-0x0000022BA1277000-memory.dmp

Filesize
28KB

Download
memory/2584-61-0x00000220301E0000-0x00000220301E7000-memory.dmp

Filesize
28KB

Download
memory/2584-64-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/3520-75-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3520-79-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3560-9-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-33-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-22-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-23-0x00007FFC71840000-0x00007FFC71850000-memory.dmp

Filesize
64KB

Download
memory/3560-24-0x00007FFC71830000-0x00007FFC71840000-memory.dmp

Filesize
64KB

Download
memory/3560-6-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-7-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-11-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-8-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-10-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-13-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-21-0x0000000000B40000-0x0000000000B47000-memory.dmp

Filesize
28KB

Download
memory/3560-12-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3560-3-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3560-5-0x00007FFC7168A000-0x00007FFC7168B000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads