dridex | 5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6

General

Target

5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6.dll
Size

668KB
MD5

6e81fa44ba1b79c29a1f1e2e6af6faaf
SHA1

993d4e84074a54b99a356eb3224eceb7e0b7e0f6
SHA256

5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6
SHA512

ebd94dce5c34630905ed744e7b75af2c1d934241e86717069f5b66e900906082b500f5cb494e60d5126785c569db2475e7a7732846f3b0dd1dde024643783c25
SSDEEP

6144:p34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:pIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-4-0x0000000002E40000-0x0000000002E41000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1732-0-0x000007FEF6790000-0x000007FEF6837000-memory.dmp	dridex_payload
behavioral1/memory/1204-15-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1204-23-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1204-36-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1204-35-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1732-43-0x000007FEF6790000-0x000007FEF6837000-memory.dmp	dridex_payload
behavioral1/memory/2964-52-0x000007FEF6840000-0x000007FEF68E9000-memory.dmp	dridex_payload
behavioral1/memory/2964-56-0x000007FEF6840000-0x000007FEF68E9000-memory.dmp	dridex_payload
behavioral1/memory/2432-69-0x000007FEF6060000-0x000007FEF6108000-memory.dmp	dridex_payload
behavioral1/memory/2432-73-0x000007FEF6060000-0x000007FEF6108000-memory.dmp	dridex_payload
behavioral1/memory/580-88-0x000007FEF6060000-0x000007FEF6108000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

calc.exeSndVol.exeicardagt.exe

pid process

2964 calc.exe
2432 SndVol.exe
580 icardagt.exe
Loads dropped DLL 7 IoCs

Processes:

calc.exeSndVol.exeicardagt.exe

pid process

1204
2964 calc.exe
1204
2432 SndVol.exe
1204
580 icardagt.exe
1204

pid	process
2964	calc.exe
2432	SndVol.exe
580	icardagt.exe

pid	process
1204
2964	calc.exe
1204
2432	SndVol.exe
1204
580	icardagt.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dnfwvyvycst = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1488793075-819845221-1497111674-1000\\yQDm\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SndVol.exeicardagt.exerundll32.execalc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.execalc.exe

pid	process
1732	rundll32.exe
1732	rundll32.exe
1732	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
2964	calc.exe
2964	calc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2308	1204	calc.exe
PID 1204 wrote to memory of 2308	1204	calc.exe
PID 1204 wrote to memory of 2308	1204	calc.exe
PID 1204 wrote to memory of 2964	1204	calc.exe
PID 1204 wrote to memory of 2964	1204	calc.exe
PID 1204 wrote to memory of 2964	1204	calc.exe
PID 1204 wrote to memory of 2684	1204	SndVol.exe
PID 1204 wrote to memory of 2684	1204	SndVol.exe
PID 1204 wrote to memory of 2684	1204	SndVol.exe
PID 1204 wrote to memory of 2432	1204	SndVol.exe
PID 1204 wrote to memory of 2432	1204	SndVol.exe
PID 1204 wrote to memory of 2432	1204	SndVol.exe
PID 1204 wrote to memory of 1292	1204	icardagt.exe
PID 1204 wrote to memory of 1292	1204	icardagt.exe
PID 1204 wrote to memory of 1292	1204	icardagt.exe
PID 1204 wrote to memory of 580	1204	icardagt.exe
PID 1204 wrote to memory of 580	1204	icardagt.exe
PID 1204 wrote to memory of 580	1204	icardagt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2308

C:\Users\Admin\AppData\Local\eLRGpZSe\calc.exe
C:\Users\Admin\AppData\Local\eLRGpZSe\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2964

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2684

C:\Users\Admin\AppData\Local\PSS5f5oh\SndVol.exe
C:\Users\Admin\AppData\Local\PSS5f5oh\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2432

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:1292

C:\Users\Admin\AppData\Local\NDLG36gk\icardagt.exe
C:\Users\Admin\AppData\Local\NDLG36gk\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NDLG36gk\VERSION.dll

Filesize
672KB

MD5
43b447ae8e78c384da13ea7d67088e79

SHA1
88e4bad22beafe6fb5de4329dd5bab462d0b94b9

SHA256
0f1da013e4094fe916bdb00889f62028445cc16baf549db5ff68e127ee00a23d

SHA512
12922ac8e2f6e3e2769a28317c167b7376ddb99db97779365919933c77b2654b996d2b10d5ec112ebe31caeb5cc04a3d3fdd412ed492f6125e7f00fd98583d2c

Download Submit
C:\Users\Admin\AppData\Local\eLRGpZSe\WINMM.dll

Filesize
676KB

MD5
d3531e1e81e8db735c07a29d6aa86c40

SHA1
3afd34f17ba7ead749dbe1de34748749be1a262e

SHA256
943fcc50145de51695aea796c00325e024b6e9dfa142cfe2252b778646019d48

SHA512
5a82814254cb4625603df6b05fd835e2b2a70796e192c20bba87b59d45513801510859fcc740f52d159e37d6722d71bc2b78898e6dd5e5ba400eda8029613fbe

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk

Filesize
1KB

MD5
dd70e93c09db1a745d9649c0e7f66420

SHA1
daa6ea5c28b31e7bc25507926d346b1dae2cc051

SHA256
6d8dc357812443b842ff5ccef14c2fab784c8323cfd94f8df191607c74473c3c

SHA512
bade40792da7cb33a98f8a6adcffcd86769640a7cee76c36ffed34153b862e6ee94c164b2a9950b7eec7c3ad519488a0725a1b5d56363125c4ebb8376e0f6849

Download Submit
\Users\Admin\AppData\Local\NDLG36gk\icardagt.exe

Filesize
1.3MB

MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\PSS5f5oh\SndVol.exe

Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\PSS5f5oh\UxTheme.dll

Filesize
672KB

MD5
a14a0cc92a8f04c7e764fe19501ffe2f

SHA1
bbd633c1b4f3c140cc6a0656e16a97586a2814f8

SHA256
e3ed5d48df9f72a8a1bb7e1756927a80071d76c8912ea64645880e249767fe57

SHA512
896d3cc219233e42d219f6d67b3e61daf6198dcf0c2e1bdec9610045ca7c0542797bc9920e41e29815f6999d16e2a668ebe087dbb299ba8d18dd893848bd9447

Download Submit
\Users\Admin\AppData\Local\eLRGpZSe\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
memory/580-88-0x000007FEF6060000-0x000007FEF6108000-memory.dmp

Filesize
672KB

Download
memory/1204-25-0x00000000772C0000-0x00000000772C2000-memory.dmp

Filesize
8KB

Download
memory/1204-44-0x0000000077026000-0x0000000077027000-memory.dmp

Filesize
4KB

Download
memory/1204-12-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-15-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-22-0x0000000002E20000-0x0000000002E27000-memory.dmp

Filesize
28KB

Download
memory/1204-14-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-13-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-23-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-3-0x0000000077026000-0x0000000077027000-memory.dmp

Filesize
4KB

Download
memory/1204-24-0x0000000077290000-0x0000000077292000-memory.dmp

Filesize
8KB

Download
memory/1204-36-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-35-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-4-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1204-6-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-7-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-8-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-11-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-10-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1204-9-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1732-43-0x000007FEF6790000-0x000007FEF6837000-memory.dmp

Filesize
668KB

Download
memory/1732-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1732-0-0x000007FEF6790000-0x000007FEF6837000-memory.dmp

Filesize
668KB

Download
memory/2432-69-0x000007FEF6060000-0x000007FEF6108000-memory.dmp

Filesize
672KB

Download
memory/2432-68-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2432-73-0x000007FEF6060000-0x000007FEF6108000-memory.dmp

Filesize
672KB

Download
memory/2964-56-0x000007FEF6840000-0x000007FEF68E9000-memory.dmp

Filesize
676KB

Download
memory/2964-52-0x000007FEF6840000-0x000007FEF68E9000-memory.dmp

Filesize
676KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads