dridex | 3d547a32ba5e9558dae5877fbf177d8f1ad64ffbe75b9dd479d1a4271e9bf596

General

Target

3d547a32ba5e9558dae5877fbf177d8f1ad64ffbe75b9dd479d1a4271e9bf596.dll
Size

672KB
MD5

7184ef15375279757405bee2a9a39f9c
SHA1

e205028e3ce6cbb7aab6700a37e3bd0b318626ca
SHA256

3d547a32ba5e9558dae5877fbf177d8f1ad64ffbe75b9dd479d1a4271e9bf596
SHA512

b780417f016aaaac4efff3783b8f9c1e5ef74e1d04147a52b96d539cfb72e4496789ef2f820693ed5fd567f11b8c3d41d3f6a9744bbc22056e865212d7ba3ac6
SSDEEP

6144:t34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTR:tIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1244-4-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2056-0-0x000007FEF65D0000-0x000007FEF6678000-memory.dmp	dridex_payload
behavioral1/memory/1244-25-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1244-17-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1244-36-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1244-40-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/2056-45-0x000007FEF65D0000-0x000007FEF6678000-memory.dmp	dridex_payload
behavioral1/memory/2776-54-0x000007FEF7110000-0x000007FEF71BA000-memory.dmp	dridex_payload
behavioral1/memory/2776-59-0x000007FEF7110000-0x000007FEF71BA000-memory.dmp	dridex_payload
behavioral1/memory/3060-72-0x000007FEF7110000-0x000007FEF71B9000-memory.dmp	dridex_payload
behavioral1/memory/3060-76-0x000007FEF7110000-0x000007FEF71B9000-memory.dmp	dridex_payload
behavioral1/memory/2912-92-0x000007FEF7110000-0x000007FEF71B9000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rdpclip.exesdclt.exetabcal.exe

pid process

2776 rdpclip.exe
3060 sdclt.exe
2912 tabcal.exe
Loads dropped DLL 7 IoCs

Processes:

rdpclip.exesdclt.exetabcal.exe

pid process

1244
2776 rdpclip.exe
1244
3060 sdclt.exe
1244
2912 tabcal.exe
1244

pid	process
2776	rdpclip.exe
3060	sdclt.exe
2912	tabcal.exe

pid	process
1244
2776	rdpclip.exe
1244
3060	sdclt.exe
1244
2912	tabcal.exe
1244

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\7LHNWBGG\\Z2L9FX~1\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exesdclt.exetabcal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1244 wrote to memory of 2952	1244	rdpclip.exe
PID 1244 wrote to memory of 2952	1244	rdpclip.exe
PID 1244 wrote to memory of 2952	1244	rdpclip.exe
PID 1244 wrote to memory of 2776	1244	rdpclip.exe
PID 1244 wrote to memory of 2776	1244	rdpclip.exe
PID 1244 wrote to memory of 2776	1244	rdpclip.exe
PID 1244 wrote to memory of 2652	1244	sdclt.exe
PID 1244 wrote to memory of 2652	1244	sdclt.exe
PID 1244 wrote to memory of 2652	1244	sdclt.exe
PID 1244 wrote to memory of 3060	1244	sdclt.exe
PID 1244 wrote to memory of 3060	1244	sdclt.exe
PID 1244 wrote to memory of 3060	1244	sdclt.exe
PID 1244 wrote to memory of 852	1244	tabcal.exe
PID 1244 wrote to memory of 852	1244	tabcal.exe
PID 1244 wrote to memory of 852	1244	tabcal.exe
PID 1244 wrote to memory of 2912	1244	tabcal.exe
PID 1244 wrote to memory of 2912	1244	tabcal.exe
PID 1244 wrote to memory of 2912	1244	tabcal.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d547a32ba5e9558dae5877fbf177d8f1ad64ffbe75b9dd479d1a4271e9bf596.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2952

C:\Users\Admin\AppData\Local\69I\rdpclip.exe
C:\Users\Admin\AppData\Local\69I\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2652

C:\Users\Admin\AppData\Local\5mar1bwV\sdclt.exe
C:\Users\Admin\AppData\Local\5mar1bwV\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3060

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:852

C:\Users\Admin\AppData\Local\Ac0Uub\tabcal.exe
C:\Users\Admin\AppData\Local\Ac0Uub\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5mar1bwV\SPP.dll

Filesize
676KB

MD5
37b1261de22d22399870e871b31d4dbb

SHA1
2a156c2ffc347a2987d0dfe5ac7aed0f3f81cd41

SHA256
b5e75ead1f1eca1d7716d23d2f6ae5e845be5626dfae90dda977fed930bd4dfe

SHA512
5d8fe8c102f00cc576825f189ed3cfe8d8ec4b9c8cd69e8a174a098603fabf2d97a8fb97f0daafdc8ddd9d3b66218f9846a2ccdbc36812e027029ed35a0cf940

Download Submit
C:\Users\Admin\AppData\Local\69I\WINSTA.dll

Filesize
680KB

MD5
749265f6baaa9c4cfc2b295347346265

SHA1
3e85082e6490309cebcd3318ea139cbffde51aca

SHA256
e9651473e5a90177e441d5e8a3c437ccafbfd0d4d6f2a1736bc9c786276c12fb

SHA512
80809990d92ae947daba41e232bb3ef5242eeb16710bb9fd569f55697210e4fe856ba4673fe1f6b9bf4613122d81a6669a9b3672d022c8a59b46ed121744725c

Download Submit
C:\Users\Admin\AppData\Local\Ac0Uub\HID.DLL

Filesize
676KB

MD5
07cdb7e2f54279638eef5db2b22fbba2

SHA1
1385f34f7b2a1d6b51c2e352cc80908b2627af3b

SHA256
0e6f3cf09d399ee9cbdab502f92e78695d15985eb325e86158d9a61428a084d3

SHA512
11a18a7718fdd857af13ccbf5ddd9825769daf9cddfc1848a5b7a0a8dd1c2eee2765751c8e85dc18c0835ee1d581c317f3ec180356ca638e0d5721a7b70cbef3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
933B

MD5
a7895ddd3a98a69e0f80df922f3a1166

SHA1
1406b3da47ef073e72ab06a77a0ef6cce522d875

SHA256
f749d00b6ad355d843b8b2f6b1d0c1c47ebe585f451b55a084af00af35489065

SHA512
207e92b4de2b8c8a5c2aae4129b808e16fc58ca903c886306a97f5f08addbb965c033d4b0d91df41a95de16929a71fe876aa60c928a240fca12edd422c6f72a4

Download Submit
\Users\Admin\AppData\Local\5mar1bwV\sdclt.exe

Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Local\69I\rdpclip.exe

Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Local\Ac0Uub\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
memory/1244-26-0x0000000077000000-0x0000000077002000-memory.dmp

Filesize
8KB

Download
memory/1244-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-3-0x0000000076D96000-0x0000000076D97000-memory.dmp

Filesize
4KB

Download
memory/1244-27-0x0000000077030000-0x0000000077032000-memory.dmp

Filesize
8KB

Download
memory/1244-36-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-40-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1244-46-0x0000000076D96000-0x0000000076D97000-memory.dmp

Filesize
4KB

Download
memory/1244-24-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

Filesize
28KB

Download
memory/1244-25-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1244-17-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/2056-45-0x000007FEF65D0000-0x000007FEF6678000-memory.dmp

Filesize
672KB

Download
memory/2056-2-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/2056-0-0x000007FEF65D0000-0x000007FEF6678000-memory.dmp

Filesize
672KB

Download
memory/2776-59-0x000007FEF7110000-0x000007FEF71BA000-memory.dmp

Filesize
680KB

Download
memory/2776-56-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2776-54-0x000007FEF7110000-0x000007FEF71BA000-memory.dmp

Filesize
680KB

Download
memory/2912-92-0x000007FEF7110000-0x000007FEF71B9000-memory.dmp

Filesize
676KB

Download
memory/3060-71-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/3060-72-0x000007FEF7110000-0x000007FEF71B9000-memory.dmp

Filesize
676KB

Download
memory/3060-76-0x000007FEF7110000-0x000007FEF71B9000-memory.dmp

Filesize
676KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads