dridex | 21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f

General

Target

21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll
Size

1.2MB
MD5

2a6a4941d8146df58356dd5c72b0478a
SHA1

c6f28c746bddcc4e68512911bc99afe0d8f2d3d9
SHA256

21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f
SHA512

5d36fd395ea33e9a838fca4b5b0a7eabe893fb6e51f39e2aae59ad60c763e6b5bf83e2cedbe9095b74bff682ee300f13c777254e81e4ef724699167f1f5094f9
SSDEEP

6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTP:kIKp/UWCZdCDh2IZDwAFRpR6Au+

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3420-3-0x0000000002C90000-0x0000000002C91000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3180-0-0x00007FFBBCAA0000-0x00007FFBBCBD3000-memory.dmp	dridex_payload
behavioral2/memory/3420-18-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/3420-37-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/3420-26-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/3180-40-0x00007FFBBCAA0000-0x00007FFBBCBD3000-memory.dmp	dridex_payload
behavioral2/memory/4368-48-0x00007FFBADD30000-0x00007FFBADE64000-memory.dmp	dridex_payload
behavioral2/memory/4368-52-0x00007FFBADD30000-0x00007FFBADE64000-memory.dmp	dridex_payload
behavioral2/memory/832-63-0x00007FFBADCF0000-0x00007FFBADE69000-memory.dmp	dridex_payload
behavioral2/memory/832-68-0x00007FFBADCF0000-0x00007FFBADE69000-memory.dmp	dridex_payload
behavioral2/memory/3004-83-0x00007FFBADD30000-0x00007FFBADE64000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

CustomShellHost.exeCameraSettingsUIHost.exeCloudNotifications.exe

pid process

4368 CustomShellHost.exe
832 CameraSettingsUIHost.exe
3004 CloudNotifications.exe
Loads dropped DLL 3 IoCs

Processes:

CustomShellHost.exeCameraSettingsUIHost.exeCloudNotifications.exe

pid process

4368 CustomShellHost.exe
832 CameraSettingsUIHost.exe
3004 CloudNotifications.exe

pid	process
4368	CustomShellHost.exe
832	CameraSettingsUIHost.exe
3004	CloudNotifications.exe

pid	process
4368	CustomShellHost.exe
832	CameraSettingsUIHost.exe
3004	CloudNotifications.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\VXur\\CameraSettingsUIHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

CloudNotifications.exerundll32.exeCustomShellHost.exeCameraSettingsUIHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3420
3420

pid	process
3420
3420

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3420 wrote to memory of 4716	3420	CustomShellHost.exe
PID 3420 wrote to memory of 4716	3420	CustomShellHost.exe
PID 3420 wrote to memory of 4368	3420	CustomShellHost.exe
PID 3420 wrote to memory of 4368	3420	CustomShellHost.exe
PID 3420 wrote to memory of 3596	3420	CameraSettingsUIHost.exe
PID 3420 wrote to memory of 3596	3420	CameraSettingsUIHost.exe
PID 3420 wrote to memory of 832	3420	CameraSettingsUIHost.exe
PID 3420 wrote to memory of 832	3420	CameraSettingsUIHost.exe
PID 3420 wrote to memory of 1916	3420	CloudNotifications.exe
PID 3420 wrote to memory of 1916	3420	CloudNotifications.exe
PID 3420 wrote to memory of 3004	3420	CloudNotifications.exe
PID 3420 wrote to memory of 3004	3420	CloudNotifications.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:4716

C:\Users\Admin\AppData\Local\EDl\CustomShellHost.exe
C:\Users\Admin\AppData\Local\EDl\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4368

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:3596

C:\Users\Admin\AppData\Local\oeR\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\oeR\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:832

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:1916

C:\Users\Admin\AppData\Local\eVY\CloudNotifications.exe
C:\Users\Admin\AppData\Local\eVY\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EDl\CustomShellHost.exe

Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\EDl\WTSAPI32.dll

Filesize
1.2MB

MD5
eac4255c55922cd800ca04092808ba47

SHA1
f3acf57dc281c93054e6776f1d95ebf841f01c81

SHA256
ac48c1a041fce022bea67e28c2de090102a40d34f77682428904e5ba14092ae7

SHA512
fb1040a50ff63e4c3ea0297d389af4a5ab21e22dabd8aa293e210ea3a4707d5564fffe3a4d8047a9537987d9d8179d6b997bf60ea5f0db019456d1d71b901894

Download Submit
C:\Users\Admin\AppData\Local\eVY\CloudNotifications.exe

Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\eVY\UxTheme.dll

Filesize
1.2MB

MD5
1f34a62b1d28f70a48b61a38bbdebff5

SHA1
d26c0b9c1878958d5fc7696b7d696e832c14b9f7

SHA256
071aa0bb13bc4c35a25f71faf15c42765b0b7df80312e2ab47f5e3772ebbe4aa

SHA512
544298616501288b6b698ee87efa756440fcacf1d5a0f9d2b57bd88eebd768e86ea6d7e686c3fe110c09a807bf8270c8aa229c89ed79e6208c4fa0e552c1fcb0

Download Submit
C:\Users\Admin\AppData\Local\oeR\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\oeR\DUI70.dll

Filesize
1.5MB

MD5
8946447c215bffa9d166430e5acbf4cf

SHA1
189c3372680170b5b789aa80ae91ddcd6ccd5efa

SHA256
a5be137e150c8f4f27b2ffd093bf449ed4a184711bc0a588c818f74173ca0154

SHA512
e92c639967b1a72752afe24710dee02c87f57f50dafd82719197d251346e137699b9f0d158ea04f9e4854ea14a3f52ccbd88c511bfdfe42a30277db41857f1f0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
b0b6a5684a992dd2ee0f81df9f63c4fc

SHA1
92517e807bf36fd47df8bf9c902d2a86a3abd71e

SHA256
b0700485fb04fc469dae18a442e8546f4fe08f2e800323336bce1310703936c2

SHA512
c5347307eba52107a3a3ba5647fcbab8140c65aaea7d798b4ae985d6ed6bf94d7ad21ac017d5deb15cf754a706f97106a058fb0747e350e5dbf162089f7b2f00

Download Submit
memory/832-68-0x00007FFBADCF0000-0x00007FFBADE69000-memory.dmp

Filesize
1.5MB

Download
memory/832-65-0x000001FA17B00000-0x000001FA17B07000-memory.dmp

Filesize
28KB

Download
memory/832-63-0x00007FFBADCF0000-0x00007FFBADE69000-memory.dmp

Filesize
1.5MB

Download
memory/3004-83-0x00007FFBADD30000-0x00007FFBADE64000-memory.dmp

Filesize
1.2MB

Download
memory/3180-0-0x00007FFBBCAA0000-0x00007FFBBCBD3000-memory.dmp

Filesize
1.2MB

Download
memory/3180-2-0x00000284C7A20000-0x00000284C7A27000-memory.dmp

Filesize
28KB

Download
memory/3180-40-0x00007FFBBCAA0000-0x00007FFBBCBD3000-memory.dmp

Filesize
1.2MB

Download
memory/3420-37-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-17-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-7-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-6-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-10-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-28-0x00007FFBCB850000-0x00007FFBCB860000-memory.dmp

Filesize
64KB

Download
memory/3420-27-0x00007FFBCB860000-0x00007FFBCB870000-memory.dmp

Filesize
64KB

Download
memory/3420-26-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-11-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-12-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-13-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-5-0x00007FFBCA0EA000-0x00007FFBCA0EB000-memory.dmp

Filesize
4KB

Download
memory/3420-3-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3420-9-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-14-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-15-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-8-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-18-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3420-25-0x0000000002690000-0x0000000002697000-memory.dmp

Filesize
28KB

Download
memory/3420-16-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/4368-52-0x00007FFBADD30000-0x00007FFBADE64000-memory.dmp

Filesize
1.2MB

Download
memory/4368-48-0x00007FFBADD30000-0x00007FFBADE64000-memory.dmp

Filesize
1.2MB

Download
memory/4368-47-0x0000023C73890000-0x0000023C73897000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads