dridex | 4b773db138c8cc3dc18a140ff7641053a01214ebb3dd8135e53e8d47e9f39d2a

General

Target

4b773db138c8cc3dc18a140ff7641053a01214ebb3dd8135e53e8d47e9f39d2a.dll
Size

952KB
MD5

b432d15a89c0b864b8f28153733c9e2e
SHA1

7dd1e2dd2f3a78cecee6cee02c5725d93a412b46
SHA256

4b773db138c8cc3dc18a140ff7641053a01214ebb3dd8135e53e8d47e9f39d2a
SHA512

4c5eaebdb580839d6611dd34196bb084b79550ee2aa0b19ce26175fa5746ab6921a5b932a59587431abadba12ee95b048f0d2a2bb66e4ca69597bc51f41dec8b
SSDEEP

6144:p34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:pIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3424-4-0x0000000002800000-0x0000000002801000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2128-1-0x00007FFCCEEA0000-0x00007FFCCEF8E000-memory.dmp	dridex_payload
behavioral2/memory/3424-18-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral2/memory/3424-26-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral2/memory/3424-37-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral2/memory/2128-40-0x00007FFCCEEA0000-0x00007FFCCEF8E000-memory.dmp	dridex_payload
behavioral2/memory/4204-52-0x00007FFCC0DB0000-0x00007FFCC0E9F000-memory.dmp	dridex_payload
behavioral2/memory/4204-48-0x00007FFCC0DB0000-0x00007FFCC0E9F000-memory.dmp	dridex_payload
behavioral2/memory/1344-64-0x00007FFCC0D50000-0x00007FFCC0E3F000-memory.dmp	dridex_payload
behavioral2/memory/1344-67-0x00007FFCC0D50000-0x00007FFCC0E3F000-memory.dmp	dridex_payload
behavioral2/memory/872-76-0x00007FFCBFFE0000-0x00007FFCC00D0000-memory.dmp	dridex_payload
behavioral2/memory/872-80-0x00007FFCBFFE0000-0x00007FFCC00D0000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesProtection.exeMagnify.exeLockScreenContentServer.exe

pid process

4204 SystemPropertiesProtection.exe
1344 Magnify.exe
872 LockScreenContentServer.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesProtection.exeMagnify.exeLockScreenContentServer.exe

pid process

4204 SystemPropertiesProtection.exe
1344 Magnify.exe
872 LockScreenContentServer.exe

pid	process
4204	SystemPropertiesProtection.exe
1344	Magnify.exe
872	LockScreenContentServer.exe

pid	process
4204	SystemPropertiesProtection.exe
1344	Magnify.exe
872	LockScreenContentServer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\IRtxl\\Magnify.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesProtection.exeMagnify.exeLockScreenContentServer.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2128	rundll32.exe
2128	rundll32.exe
2128	rundll32.exe
2128	rundll32.exe
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3424

pid	process
3424

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3424 wrote to memory of 936	3424	SystemPropertiesProtection.exe
PID 3424 wrote to memory of 936	3424	SystemPropertiesProtection.exe
PID 3424 wrote to memory of 4204	3424	SystemPropertiesProtection.exe
PID 3424 wrote to memory of 4204	3424	SystemPropertiesProtection.exe
PID 3424 wrote to memory of 376	3424	Magnify.exe
PID 3424 wrote to memory of 376	3424	Magnify.exe
PID 3424 wrote to memory of 1344	3424	Magnify.exe
PID 3424 wrote to memory of 1344	3424	Magnify.exe
PID 3424 wrote to memory of 1784	3424	LockScreenContentServer.exe
PID 3424 wrote to memory of 1784	3424	LockScreenContentServer.exe
PID 3424 wrote to memory of 872	3424	LockScreenContentServer.exe
PID 3424 wrote to memory of 872	3424	LockScreenContentServer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b773db138c8cc3dc18a140ff7641053a01214ebb3dd8135e53e8d47e9f39d2a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:936

C:\Users\Admin\AppData\Local\9Z7f1t\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\9Z7f1t\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4204

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:376

C:\Users\Admin\AppData\Local\MMb3\Magnify.exe
C:\Users\Admin\AppData\Local\MMb3\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1344

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:1784

C:\Users\Admin\AppData\Local\kZE\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\kZE\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9Z7f1t\SYSDM.CPL

Filesize
956KB

MD5
531ac372a5a5a192037e803f6312289d

SHA1
d229c3ee83b88b695dadb1d2d51ce714ffe71366

SHA256
4e7088ca73ea2f919cf0f0d7becf8b9396b9f61ac72a4ee20212fa4b49aeaa18

SHA512
0feda61cf5207d3c046002360b0f8f6923f8e039b137eb8b790d2ca9f3dbf25c1f920fe9c43f7690f950427d4fa6dc2fad25b7462141e1b7e98bfd2ec4d210dd

Download Submit
C:\Users\Admin\AppData\Local\9Z7f1t\SystemPropertiesProtection.exe

Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
C:\Users\Admin\AppData\Local\MMb3\Magnify.exe

Filesize
639KB

MD5
4029890c147e3b4c6f41dfb5f9834d42

SHA1
10d08b3f6dabe8171ca2dd52e5737e3402951c75

SHA256
57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

SHA512
dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

Download Submit
C:\Users\Admin\AppData\Local\MMb3\dwmapi.dll

Filesize
956KB

MD5
f4e54b76f1a46cac2b9f48bce556425d

SHA1
04d9c998e794062fef71021f5e4708e18486befd

SHA256
397549f5f54d12d10628ba300b30d3d2e75bea0b9d45acaef36a46fc99af993d

SHA512
958e9d0980ecded609dac8149994327e6abd858a303c34e30ae10ceefaf45e7d271dd633752afcffb94f1ef79aa4e5a02cf1a595dae0beca0dea3eb6fe2df2ed

Download Submit
C:\Users\Admin\AppData\Local\kZE\DUser.dll

Filesize
960KB

MD5
02ed3c524f0fcec61c0b10afd00168f7

SHA1
ee465d905996397d690b50c869ee437435a2c3a0

SHA256
aa6cceb3cd557877f6e1f66c9dfa8b4dc35503ae70b6cc1d47e9305ab7b7bb72

SHA512
62d6290fb70ff0290705f6d860cbcbeb7c53ac46a7586fe1c843cfebb7e7b70aa66b08a5a08dbed157aba1241bac7fa3627306b685017972979f72b18f4a24b6

Download Submit
C:\Users\Admin\AppData\Local\kZE\LockScreenContentServer.exe

Filesize
47KB

MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
c428f26c3663a31266f0d0bff59ff72d

SHA1
403592a99c0f15411cf9dac60e7833a5b5c05c67

SHA256
13b1a8871450d6c03c1aea1303e8464aeccb3c059bc0463d969d77d5a97f070c

SHA512
306730fde3ebebc964b6efed4b0f85c519f0501a2579105cc7fdf4a5ae441bff540754199c28677d7cb2520e7975f8ed8d4b44b672c0a6fcc899a3b2523dd5f3

Download Submit
memory/872-80-0x00007FFCBFFE0000-0x00007FFCC00D0000-memory.dmp

Filesize
960KB

Download
memory/872-76-0x00007FFCBFFE0000-0x00007FFCC00D0000-memory.dmp

Filesize
960KB

Download
memory/1344-63-0x000001E025000000-0x000001E025007000-memory.dmp

Filesize
28KB

Download
memory/1344-64-0x00007FFCC0D50000-0x00007FFCC0E3F000-memory.dmp

Filesize
956KB

Download
memory/1344-67-0x00007FFCC0D50000-0x00007FFCC0E3F000-memory.dmp

Filesize
956KB

Download
memory/2128-0-0x0000015620510000-0x0000015620517000-memory.dmp

Filesize
28KB

Download
memory/2128-1-0x00007FFCCEEA0000-0x00007FFCCEF8E000-memory.dmp

Filesize
952KB

Download
memory/2128-40-0x00007FFCCEEA0000-0x00007FFCCEF8E000-memory.dmp

Filesize
952KB

Download
memory/3424-7-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-28-0x00007FFCDE730000-0x00007FFCDE740000-memory.dmp

Filesize
64KB

Download
memory/3424-9-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-11-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-15-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-6-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-37-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-12-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-13-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-14-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-4-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/3424-3-0x00007FFCDC98A000-0x00007FFCDC98B000-memory.dmp

Filesize
4KB

Download
memory/3424-10-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-17-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-26-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-27-0x00007FFCDE740000-0x00007FFCDE750000-memory.dmp

Filesize
64KB

Download
memory/3424-8-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-25-0x0000000000EC0000-0x0000000000EC7000-memory.dmp

Filesize
28KB

Download
memory/3424-18-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/3424-16-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/4204-48-0x00007FFCC0DB0000-0x00007FFCC0E9F000-memory.dmp

Filesize
956KB

Download
memory/4204-52-0x00007FFCC0DB0000-0x00007FFCC0E9F000-memory.dmp

Filesize
956KB

Download
memory/4204-47-0x0000020DD8110000-0x0000020DD8117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads