dridex | 9c8c8ac4777f6e405e3c0d2bb0e1bed5d1b2f76d20e1ade9e7c67b9e09df97f3

General

Target

9c8c8ac4777f6e405e3c0d2bb0e1bed5d1b2f76d20e1ade9e7c67b9e09df97f3.dll
Size

676KB
MD5

354125f74bf6ead1524646a2a042e721
SHA1

52f947c20843fa442f94cdcb49650369d27a96de
SHA256

9c8c8ac4777f6e405e3c0d2bb0e1bed5d1b2f76d20e1ade9e7c67b9e09df97f3
SHA512

36590d7ad1b0b747c644383879ce43c795b4a432b0ae9ea65c0fc045c06af802f0f71c2fc631e1a4519251135488e0c05fa21a289d26724528147b7ff7792af9
SSDEEP

6144:t34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:tIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-4-0x0000000002230000-0x0000000002231000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2580-1-0x000007FEFB940000-0x000007FEFB9E9000-memory.dmp	dridex_payload
behavioral1/memory/1192-18-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1192-26-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1192-38-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1192-37-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/2580-46-0x000007FEFB940000-0x000007FEFB9E9000-memory.dmp	dridex_payload
behavioral1/memory/2848-55-0x000007FEFBAC0000-0x000007FEFBB6A000-memory.dmp	dridex_payload
behavioral1/memory/2848-60-0x000007FEFBAC0000-0x000007FEFBB6A000-memory.dmp	dridex_payload
behavioral1/memory/2132-76-0x000007FEFBAC0000-0x000007FEFBB6A000-memory.dmp	dridex_payload
behavioral1/memory/1884-92-0x000007FEFBAC0000-0x000007FEFBB6A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exeSystemPropertiesRemote.exerecdisc.exe

pid process

2848 SystemPropertiesDataExecutionPrevention.exe
2132 SystemPropertiesRemote.exe
1884 recdisc.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exeSystemPropertiesRemote.exerecdisc.exe

pid process

1192
2848 SystemPropertiesDataExecutionPrevention.exe
1192
2132 SystemPropertiesRemote.exe
1192
1884 recdisc.exe
1192

pid	process
2848	SystemPropertiesDataExecutionPrevention.exe
2132	SystemPropertiesRemote.exe
1884	recdisc.exe

pid	process
1192
2848	SystemPropertiesDataExecutionPrevention.exe
1192
2132	SystemPropertiesRemote.exe
1192
1884	recdisc.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\wCMgisj7\\SystemPropertiesRemote.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesDataExecutionPrevention.exeSystemPropertiesRemote.exerecdisc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2580	rundll32.exe
2580	rundll32.exe
2580	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 2780	1192	SystemPropertiesDataExecutionPrevention.exe
PID 1192 wrote to memory of 2780	1192	SystemPropertiesDataExecutionPrevention.exe
PID 1192 wrote to memory of 2780	1192	SystemPropertiesDataExecutionPrevention.exe
PID 1192 wrote to memory of 2848	1192	SystemPropertiesDataExecutionPrevention.exe
PID 1192 wrote to memory of 2848	1192	SystemPropertiesDataExecutionPrevention.exe
PID 1192 wrote to memory of 2848	1192	SystemPropertiesDataExecutionPrevention.exe
PID 1192 wrote to memory of 2516	1192	SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2516	1192	SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2516	1192	SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2132	1192	SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2132	1192	SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2132	1192	SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2456	1192	recdisc.exe
PID 1192 wrote to memory of 2456	1192	recdisc.exe
PID 1192 wrote to memory of 2456	1192	recdisc.exe
PID 1192 wrote to memory of 1884	1192	recdisc.exe
PID 1192 wrote to memory of 1884	1192	recdisc.exe
PID 1192 wrote to memory of 1884	1192	recdisc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9c8c8ac4777f6e405e3c0d2bb0e1bed5d1b2f76d20e1ade9e7c67b9e09df97f3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2780

C:\Users\Admin\AppData\Local\xNiPSnfcF\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\xNiPSnfcF\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2848

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2516

C:\Users\Admin\AppData\Local\t4hw1\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\t4hw1\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2132

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:2456

C:\Users\Admin\AppData\Local\pqA\recdisc.exe
C:\Users\Admin\AppData\Local\pqA\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\pqA\SPP.dll

Filesize
680KB

MD5
37ad0d9c7923014a7ad5504d87eddc7d

SHA1
e7fefadf95d0d61fab6b1414456ab767edec7c9f

SHA256
b37200890b2e295778c4c1c76409924a292b456165215751c657942ed4c9e639

SHA512
f1b4e248e743abbbb2742c3b8ff1b6a5fa53d43a9cd088b34c2ef2a1c7164511df4e7caa908960ac7c203c91afab80ae8636ea2bc177f2dba2546a632e68aadd

Download Submit
C:\Users\Admin\AppData\Local\t4hw1\SYSDM.CPL

Filesize
680KB

MD5
f523fd7f8e347f6fc76d48042db509bc

SHA1
00369a0cb3843a71e8c659e5daab00249102b4b8

SHA256
1eecf9cc91846c35a437d690de9008fd93146ae19574b07720cc6de1acbb4d06

SHA512
f49da988eedddf8f19ea029748436e97ffa6932c1094df83f3fc019e21cbd742fe389480e797f8cf9b2fbbb0911f5daf5e430a3dd46951effab00e8828a1b2d9

Download Submit
C:\Users\Admin\AppData\Local\xNiPSnfcF\SYSDM.CPL

Filesize
680KB

MD5
9058be0f3cf7ac8b7894b1aa1f67f241

SHA1
c0e4228a0253da7a4fdd2ff0630b50c372d26fd3

SHA256
3cb34a78e95433a19552de14e36bb54d2689b2df31fd105a47d4210293afd49f

SHA512
cdc83f39b9d0634ddc8af23735f05fbff4b8fb7998cb8314d1c0e82b5cb4570c60f055cf97924c1db44d56db53ac9d06c68ca7a416e89a9f9b0c1853acc42482

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
943B

MD5
3c0d108f502bd22fda3b5aac24088e53

SHA1
00b22322d0b93e555d64923374d75e9632d5d4b2

SHA256
c7811c7772c47704e644d726811cdf43669ce482ec419d7aaf074599fdf4fa48

SHA512
000cbe7fc84b73a98959b762a39393787dedec8c070d4ba2200ce5c344a62360c5e8a18d2325e43c77266d0d907a3f2f285989effb7ad255c0d863096ec24d5c

Download Submit
\Users\Admin\AppData\Local\pqA\recdisc.exe

Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
\Users\Admin\AppData\Local\t4hw1\SystemPropertiesRemote.exe

Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\xNiPSnfcF\SystemPropertiesDataExecutionPrevention.exe

Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
memory/1192-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-37-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-14-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-13-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-10-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-9-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-8-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-7-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-3-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1192-28-0x0000000077E00000-0x0000000077E02000-memory.dmp

Filesize
8KB

Download
memory/1192-27-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/1192-38-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-18-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-4-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1192-47-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1192-25-0x0000000002210000-0x0000000002217000-memory.dmp

Filesize
28KB

Download
memory/1192-11-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-6-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-12-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1884-92-0x000007FEFBAC0000-0x000007FEFBB6A000-memory.dmp

Filesize
680KB

Download
memory/2132-71-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2132-76-0x000007FEFBAC0000-0x000007FEFBB6A000-memory.dmp

Filesize
680KB

Download
memory/2580-46-0x000007FEFB940000-0x000007FEFB9E9000-memory.dmp

Filesize
676KB

Download
memory/2580-1-0x000007FEFB940000-0x000007FEFB9E9000-memory.dmp

Filesize
676KB

Download
memory/2580-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2848-60-0x000007FEFBAC0000-0x000007FEFBB6A000-memory.dmp

Filesize
680KB

Download
memory/2848-59-0x00000000FFF10000-0x00000000FFF28000-memory.dmp

Filesize
96KB

Download
memory/2848-57-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2848-55-0x000007FEFBAC0000-0x000007FEFBB6A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads