dridex | afba02c33a5c421b7cb7fc7ff9f99d8160a785cb259a688fb75e8c7fdce9931c

General

Target

afba02c33a5c421b7cb7fc7ff9f99d8160a785cb259a688fb75e8c7fdce9931c.dll
Size

944KB
MD5

01c459593f35851fbb479c78490572e5
SHA1

3e1d026171828708e4d6cb4063e7207abae41353
SHA256

afba02c33a5c421b7cb7fc7ff9f99d8160a785cb259a688fb75e8c7fdce9931c
SHA512

1ae6329f54eec7984a23dae1d400bc73d9e36fcc73489c17a4f0b2650cf1b846c2a95fab49bdb9f3b4e52ef4ff84a359f2d20523169c548aacf67724b2402bb1
SSDEEP

6144:634xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTK:6IKp/UWCZdCDh2IZDwAFRpR6AuoK

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-4-0x0000000002F50000-0x0000000002F51000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1860-0-0x000007FEF6000000-0x000007FEF60EC000-memory.dmp	dridex_payload
behavioral1/memory/1212-16-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1212-24-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1212-35-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1212-36-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1860-44-0x000007FEF6000000-0x000007FEF60EC000-memory.dmp	dridex_payload
behavioral1/memory/2672-54-0x000007FEF6600000-0x000007FEF66ED000-memory.dmp	dridex_payload
behavioral1/memory/2672-58-0x000007FEF6600000-0x000007FEF66ED000-memory.dmp	dridex_payload
behavioral1/memory/1680-71-0x000007FEF6000000-0x000007FEF60ED000-memory.dmp	dridex_payload
behavioral1/memory/1680-73-0x000007FEF6000000-0x000007FEF60ED000-memory.dmp	dridex_payload
behavioral1/memory/292-87-0x000007FEF5FD0000-0x000007FEF60F0000-memory.dmp	dridex_payload
behavioral1/memory/292-91-0x000007FEF5FD0000-0x000007FEF60F0000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

DisplaySwitch.exeSystemPropertiesRemote.exeWindowsAnytimeUpgradeResults.exe

pid process

2672 DisplaySwitch.exe
1680 SystemPropertiesRemote.exe
292 WindowsAnytimeUpgradeResults.exe
Loads dropped DLL 7 IoCs

Processes:

DisplaySwitch.exeSystemPropertiesRemote.exeWindowsAnytimeUpgradeResults.exe

pid process

1212
2672 DisplaySwitch.exe
1212
1680 SystemPropertiesRemote.exe
1212
292 WindowsAnytimeUpgradeResults.exe
1212

pid	process
2672	DisplaySwitch.exe
1680	SystemPropertiesRemote.exe
292	WindowsAnytimeUpgradeResults.exe

pid	process
1212
2672	DisplaySwitch.exe
1212
1680	SystemPropertiesRemote.exe
1212
292	WindowsAnytimeUpgradeResults.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\xd44Q\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDisplaySwitch.exeSystemPropertiesRemote.exeWindowsAnytimeUpgradeResults.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1860	rundll32.exe
1860	rundll32.exe
1860	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 1676	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 1676	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 1676	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 2672	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 2672	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 2672	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 2984	1212	SystemPropertiesRemote.exe
PID 1212 wrote to memory of 2984	1212	SystemPropertiesRemote.exe
PID 1212 wrote to memory of 2984	1212	SystemPropertiesRemote.exe
PID 1212 wrote to memory of 1680	1212	SystemPropertiesRemote.exe
PID 1212 wrote to memory of 1680	1212	SystemPropertiesRemote.exe
PID 1212 wrote to memory of 1680	1212	SystemPropertiesRemote.exe
PID 1212 wrote to memory of 1500	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1500	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1500	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 292	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 292	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 292	1212	WindowsAnytimeUpgradeResults.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\afba02c33a5c421b7cb7fc7ff9f99d8160a785cb259a688fb75e8c7fdce9931c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1676

C:\Users\Admin\AppData\Local\1cW1PcE\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\1cW1PcE\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2672

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Zxu70\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\Zxu70\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1680

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:1500

C:\Users\Admin\AppData\Local\7jb2Noa\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\7jb2Noa\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1cW1PcE\slc.dll

Filesize
948KB

MD5
721d32f00ea3cfaab36a06f34926d911

SHA1
a3085742781f82327a1bb2cca5b3610631f2197f

SHA256
25f2bf7dc3ef0de0645cf34b9dd7d7582b212758d1576cb1b8250092200ead06

SHA512
c5f5bbf82dc1193e4e2a9566e3a00172cd85b1af2dec731dfb40c91c9652682c31b9a0859de438b709ff74c26b4bbd61e3eebe8f5a63e6b483523cc3181c4afa

Download Submit
C:\Users\Admin\AppData\Local\7jb2Noa\DUI70.dll

Filesize
1.1MB

MD5
074e3195c41eda96d6ae58cc3cfe1b93

SHA1
ebc0e134edd8dde71739171ad23f6c00fbdf1ccb

SHA256
71a985759c21a541d45754dfcf038ccee5fca4a995a0a01a603f93d8828d648e

SHA512
c817334cbaf2b9548aedd58ae00c4345a9ab4b5c68785a6bf9542694783938f91072ecf7abd6f7b5742d9eeea39c59b67b23b485222840690b26bd6dce96dd09

Download Submit
C:\Users\Admin\AppData\Local\Zxu70\SYSDM.CPL

Filesize
948KB

MD5
bc05c5be2729fd1c2e0ee2630887ddbd

SHA1
6f3106b3a8f79c5a0b89cc69d3d47a396703efe0

SHA256
5414e0dba1a1831570ea526a0de5ee9c338c95ebfe3a4eac2806ff5ff459fe95

SHA512
7e57b96e34ff0f13b767542c77b204cbd07776e1c92b45aa22d2daf9472e190feb2254e7b4e8a2ca2aeff5d269baf98b959a4343fc7b9ed1c0442a63c72604b0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
bc4152870d8898c1d897e096b75ebc47

SHA1
dfacca5f2e72536ef7967726288325257063265a

SHA256
65c210927496056ab2332da38acc78564a46ed0c6850465ddb0fe3954fcd1555

SHA512
1c50ef21c07141c68361a3be63a431d3449798b29df4ae238d98140b0668c6cea22a6b5816430cdf3c6c2ac1c98eb8afacbebb0d6d5c43abf02fa0a686e0a60d

Download Submit
\Users\Admin\AppData\Local\1cW1PcE\DisplaySwitch.exe

Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
\Users\Admin\AppData\Local\7jb2Noa\WindowsAnytimeUpgradeResults.exe

Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
\Users\Admin\AppData\Local\Zxu70\SystemPropertiesRemote.exe

Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
memory/292-91-0x000007FEF5FD0000-0x000007FEF60F0000-memory.dmp

Filesize
1.1MB

Download
memory/292-87-0x000007FEF5FD0000-0x000007FEF60F0000-memory.dmp

Filesize
1.1MB

Download
memory/1212-26-0x00000000770C0000-0x00000000770C2000-memory.dmp

Filesize
8KB

Download
memory/1212-7-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-16-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-15-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-12-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-11-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-10-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-24-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-25-0x0000000077090000-0x0000000077092000-memory.dmp

Filesize
8KB

Download
memory/1212-3-0x0000000076E26000-0x0000000076E27000-memory.dmp

Filesize
4KB

Download
memory/1212-35-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-36-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-9-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-45-0x0000000076E26000-0x0000000076E27000-memory.dmp

Filesize
4KB

Download
memory/1212-14-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-23-0x0000000002E60000-0x0000000002E67000-memory.dmp

Filesize
28KB

Download
memory/1212-8-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-4-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1212-6-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1212-13-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1680-70-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1680-71-0x000007FEF6000000-0x000007FEF60ED000-memory.dmp

Filesize
948KB

Download
memory/1680-73-0x000007FEF6000000-0x000007FEF60ED000-memory.dmp

Filesize
948KB

Download
memory/1860-44-0x000007FEF6000000-0x000007FEF60EC000-memory.dmp

Filesize
944KB

Download
memory/1860-0-0x000007FEF6000000-0x000007FEF60EC000-memory.dmp

Filesize
944KB

Download
memory/1860-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2672-58-0x000007FEF6600000-0x000007FEF66ED000-memory.dmp

Filesize
948KB

Download
memory/2672-54-0x000007FEF6600000-0x000007FEF66ED000-memory.dmp

Filesize
948KB

Download
memory/2672-53-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads