dridex | db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a

General

Target

db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a.dll
Size

1.4MB
MD5

e74399f942cf0cf81df1e8a4972bb8bb
SHA1

13416b3359fb3b1ce03acca069454bb4c228b3f0
SHA256

db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a
SHA512

09968cb2afead5f2626ed4c85471ffa0b80fab89066e4662dd07f86824a9873f149fa840950123989fe9fdee44649de6f52a7975da6d57ff29094ddfb4b459d0
SSDEEP

12288:DkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64Cw1:DkMZ+gf4ltGd8H1fYO0q2G1Ahw1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3456-3-0x0000000008210000-0x0000000008211000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1276-1-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3456-38-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/3456-27-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/1276-41-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral2/memory/1656-48-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/1656-53-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/2512-69-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/3044-84-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

ddodiag.exerdpclip.exeMusNotifyIcon.exe

pid process

1656 ddodiag.exe
2512 rdpclip.exe
3044 MusNotifyIcon.exe
Loads dropped DLL 3 IoCs

Processes:

ddodiag.exerdpclip.exeMusNotifyIcon.exe

pid process

1656 ddodiag.exe
2512 rdpclip.exe
3044 MusNotifyIcon.exe

pid	process
1656	ddodiag.exe
2512	rdpclip.exe
3044	MusNotifyIcon.exe

pid	process
1656	ddodiag.exe
2512	rdpclip.exe
3044	MusNotifyIcon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\sy\\rdpclip.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeddodiag.exerdpclip.exeMusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1276	rundll32.exe
1276	rundll32.exe
1276	rundll32.exe
1276	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3456
3456
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3456

pid	process
3456
3456

pid	process
3456

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3456 wrote to memory of 4380	3456	ddodiag.exe
PID 3456 wrote to memory of 4380	3456	ddodiag.exe
PID 3456 wrote to memory of 1656	3456	ddodiag.exe
PID 3456 wrote to memory of 1656	3456	ddodiag.exe
PID 3456 wrote to memory of 2320	3456	rdpclip.exe
PID 3456 wrote to memory of 2320	3456	rdpclip.exe
PID 3456 wrote to memory of 2512	3456	rdpclip.exe
PID 3456 wrote to memory of 2512	3456	rdpclip.exe
PID 3456 wrote to memory of 4448	3456	MusNotifyIcon.exe
PID 3456 wrote to memory of 4448	3456	MusNotifyIcon.exe
PID 3456 wrote to memory of 3044	3456	MusNotifyIcon.exe
PID 3456 wrote to memory of 3044	3456	MusNotifyIcon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1276

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:4380

C:\Users\Admin\AppData\Local\EROYhH\ddodiag.exe
C:\Users\Admin\AppData\Local\EROYhH\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1656

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2320

C:\Users\Admin\AppData\Local\6zEN\rdpclip.exe
C:\Users\Admin\AppData\Local\6zEN\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2512

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:4448

C:\Users\Admin\AppData\Local\BNv9\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\BNv9\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6zEN\WTSAPI32.dll

Filesize
1.4MB

MD5
68b3a57d05cfbf46f1001fa1d879a8ac

SHA1
610d08b5b4637cdd9ac2b790a334122a9fc70c56

SHA256
687a4d838aa766b032e7c5f9840296beda85b24cba38779ad840bca7929da2d8

SHA512
cdeb5677e4ee7491a8094872747a150e61ee0241f3b89e0dfff69b3b4df96a29e6d5431008cbcca014375e68a2fbb3ff659e172691a2e8586f0b8ac7902ebec8

Download Submit
C:\Users\Admin\AppData\Local\6zEN\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Local\BNv9\MusNotifyIcon.exe

Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\BNv9\UxTheme.dll

Filesize
1.4MB

MD5
df8031a3170752f16ed55eb81eac8aa0

SHA1
3f993ed79a494c2a262bf63aee1b5e3da691aa33

SHA256
7f95c3e87a5d6a325619a62ed1e02a465c88bddb91a185d2e68ac11a94ff69d7

SHA512
50ea3a1396e70c9b24bd8bb1597e331888cf05a81a09b3eee6bb200f516d80efa0668ed581b0ffb304977a99f341c306579bf9084f42004dd2303ec490f4549e

Download Submit
C:\Users\Admin\AppData\Local\EROYhH\XmlLite.dll

Filesize
1.4MB

MD5
eb47b7ef920fa64117f331aa7e54e936

SHA1
86a8b9d1074a8d2e02a14e89c9200777e2e8338a

SHA256
1119e085cfdd66761bc2bd8ea1aef61c9aa9833d774387af587be842ae5d6746

SHA512
c9c7266269bf526e08937e0f872cd57f54c690e00b2b68e2c25aa7c73549cb27ac852fc687cd5be1a4e5f69b1a9f52ef9837ab8b4832e12a0594669d7521ed73

Download Submit
C:\Users\Admin\AppData\Local\EROYhH\ddodiag.exe

Filesize
39KB

MD5
85feee634a6aee90f0108e26d3d9bc1f

SHA1
a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

SHA256
99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

SHA512
b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
6cb82228dd2c93a4d9b611daf2996597

SHA1
11184077fab5af16f9b732e03f362fb2ec39520f

SHA256
79cf9e0a8d1e64b43a461d343a6c6d19f88d71ed893d268635eefb2f8127e0a1

SHA512
8ca96a88b05f69add543008e029bd3e11eafc0e9a6b2b9e1af0ff98860dc77787b29ee4a0912960a83369c6073232f0f441478d73c0e69e94c77410382487a33

Download Submit
memory/1276-41-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1276-0-0x000001405E840000-0x000001405E847000-memory.dmp

Filesize
28KB

Download
memory/1276-1-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1656-53-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1656-50-0x0000015E142A0000-0x0000015E142A7000-memory.dmp

Filesize
28KB

Download
memory/1656-48-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2512-69-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2512-66-0x0000023A7FE50000-0x0000023A7FE57000-memory.dmp

Filesize
28KB

Download
memory/3044-84-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3456-27-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-13-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-7-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-6-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-5-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-3-0x0000000008210000-0x0000000008211000-memory.dmp

Filesize
4KB

Download
memory/3456-9-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-11-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-10-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-8-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-14-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-15-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-17-0x00007FFF0465A000-0x00007FFF0465B000-memory.dmp

Filesize
4KB

Download
memory/3456-38-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-28-0x00007FFF04F40000-0x00007FFF04F50000-memory.dmp

Filesize
64KB

Download
memory/3456-29-0x00007FFF04F30000-0x00007FFF04F40000-memory.dmp

Filesize
64KB

Download
memory/3456-18-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-26-0x00000000081E0000-0x00000000081E7000-memory.dmp

Filesize
28KB

Download
memory/3456-16-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3456-12-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads