dridex | 7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530

Target

93394d6e_by_Libranalysis.dll
Size

588KB
MD5

93394d6e0ea894922267955095fabbc9
SHA1

38ac582b64fb09f212aceddf5e3cc13946c69985
SHA256

7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
SHA512

aceecbcccd6fe48586d695b0ef04d7d0b998069dbb6545dc9ca96045f896281663027cf048ce2d0f27d0e2990f03c1f592322bfa9bc9776f153d07c6993cc8e7

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1864-60-0x0000000140000000-0x000000014009D000-memory.dmp	dridex_payload
behavioral1/memory/436-80-0x0000000140000000-0x00000001400D1000-memory.dmp	dridex_payload
behavioral1/memory/624-88-0x0000000140000000-0x000000014009E000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1224-63-0x0000000003960000-0x0000000003961000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dpapimig.exeDeviceDisplayObjectProvider.exerdrleakdiag.exe

pid process

436 dpapimig.exe
624 DeviceDisplayObjectProvider.exe
1304 rdrleakdiag.exe
Loads dropped DLL 7 IoCs

Processes:

dpapimig.exeDeviceDisplayObjectProvider.exerdrleakdiag.exe

pid process

1224
436 dpapimig.exe
1224
624 DeviceDisplayObjectProvider.exe
1224
1304 rdrleakdiag.exe
1224

pid	process
436	dpapimig.exe
624	DeviceDisplayObjectProvider.exe
1304	rdrleakdiag.exe

pid	process
1224
436	dpapimig.exe
1224
624	DeviceDisplayObjectProvider.exe
1224
1304	rdrleakdiag.exe
1224

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srlqp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\gppQHM99IU\\DeviceDisplayObjectProvider.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedpapimig.exeDeviceDisplayObjectProvider.exerdrleakdiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exedpapimig.exeDeviceDisplayObjectProvider.exe

pid	process
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
436	dpapimig.exe
436	dpapimig.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
624	DeviceDisplayObjectProvider.exe
624	DeviceDisplayObjectProvider.exe
1224
1224
1224
1224
1224
1224
1224

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1224
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1224
1224
1224
1224
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1224
1224
1224
1224

pid	process
1224

pid	process
1224
1224
1224
1224

pid	process
1224
1224
1224
1224

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1224 wrote to memory of 1684	1224	dpapimig.exe
PID 1224 wrote to memory of 1684	1224	dpapimig.exe
PID 1224 wrote to memory of 1684	1224	dpapimig.exe
PID 1224 wrote to memory of 436	1224	dpapimig.exe
PID 1224 wrote to memory of 436	1224	dpapimig.exe
PID 1224 wrote to memory of 436	1224	dpapimig.exe
PID 1224 wrote to memory of 1044	1224	DeviceDisplayObjectProvider.exe
PID 1224 wrote to memory of 1044	1224	DeviceDisplayObjectProvider.exe
PID 1224 wrote to memory of 1044	1224	DeviceDisplayObjectProvider.exe
PID 1224 wrote to memory of 624	1224	DeviceDisplayObjectProvider.exe
PID 1224 wrote to memory of 624	1224	DeviceDisplayObjectProvider.exe
PID 1224 wrote to memory of 624	1224	DeviceDisplayObjectProvider.exe
PID 1224 wrote to memory of 972	1224	rdrleakdiag.exe
PID 1224 wrote to memory of 972	1224	rdrleakdiag.exe
PID 1224 wrote to memory of 972	1224	rdrleakdiag.exe
PID 1224 wrote to memory of 1304	1224	rdrleakdiag.exe
PID 1224 wrote to memory of 1304	1224	rdrleakdiag.exe
PID 1224 wrote to memory of 1304	1224	rdrleakdiag.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\93394d6e_by_Libranalysis.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\rs2\dpapimig.exe
C:\Users\Admin\AppData\Local\rs2\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:1044

C:\Users\Admin\AppData\Local\tKQ1RY45a\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\tKQ1RY45a\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:972

C:\Users\Admin\AppData\Local\QAuM3O0f\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\QAuM3O0f\rdrleakdiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QAuM3O0f\rdrleakdiag.exe

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
C:\Users\Admin\AppData\Local\QAuM3O0f\wer.dll

MD5
8147e1a29aa0e169effe764cf746fd4c

SHA1
01d66cd88bdf551c91cf969a47056cc6a44ba216

SHA256
14652d299a228c24cd8cc0f0df87233e9bd065941b5bda2adfb35e5ae386c450

SHA512
38d3ff9116b0cb749f7798d0c65b082413d2dad3612413b85bac3731595bc5ed542daff3079bf629a319934340cb6b3ae69b33aad60855ac5b419be09c2f361c

Download Submit
C:\Users\Admin\AppData\Local\rs2\DUI70.dll

MD5
6adc866a67e540e15910794b286de645

SHA1
6c0cd3d102f4edadf4e2165da5ef91e9ffe0055e

SHA256
4934ddadbbe2a5163ac0e6d95a76048fdf99255ea3ce00204822d9a68cb6475f

SHA512
689d4289217da71777e49f3bbcbc2ee41c4be5ffb3915ad13a974862584b2149177b1d4ddcecbad89f24c578b1f65bcd28212b631dd461801b4654fb6eafad8e

Download Submit
C:\Users\Admin\AppData\Local\rs2\dpapimig.exe

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
C:\Users\Admin\AppData\Local\tKQ1RY45a\DeviceDisplayObjectProvider.exe

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
C:\Users\Admin\AppData\Local\tKQ1RY45a\XmlLite.dll

MD5
2bbd078a08fb020127481b26984d930e

SHA1
6f047ed048a5fd2003418f787355ddaf1f7d5bc9

SHA256
5269caea977276c485ce202c4c3ac3ecb1ba2523a1e612b8d7e0d2f4cc774e53

SHA512
56f6814e59e02d327eb3bbdfa194fe8fea2b1567607f67783e32d5f01ceef9496b3a7346a7af036f6fc7e8445e9e662372785f11993ece7e8c276e4d83a2bd77

Download Submit
\Users\Admin\AppData\Local\QAuM3O0f\rdrleakdiag.exe

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
\Users\Admin\AppData\Local\QAuM3O0f\wer.dll

MD5
8147e1a29aa0e169effe764cf746fd4c

SHA1
01d66cd88bdf551c91cf969a47056cc6a44ba216

SHA256
14652d299a228c24cd8cc0f0df87233e9bd065941b5bda2adfb35e5ae386c450

SHA512
38d3ff9116b0cb749f7798d0c65b082413d2dad3612413b85bac3731595bc5ed542daff3079bf629a319934340cb6b3ae69b33aad60855ac5b419be09c2f361c

Download Submit
\Users\Admin\AppData\Local\rs2\DUI70.dll

MD5
6adc866a67e540e15910794b286de645

SHA1
6c0cd3d102f4edadf4e2165da5ef91e9ffe0055e

SHA256
4934ddadbbe2a5163ac0e6d95a76048fdf99255ea3ce00204822d9a68cb6475f

SHA512
689d4289217da71777e49f3bbcbc2ee41c4be5ffb3915ad13a974862584b2149177b1d4ddcecbad89f24c578b1f65bcd28212b631dd461801b4654fb6eafad8e

Download Submit
\Users\Admin\AppData\Local\rs2\dpapimig.exe

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
\Users\Admin\AppData\Local\tKQ1RY45a\DeviceDisplayObjectProvider.exe

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
\Users\Admin\AppData\Local\tKQ1RY45a\XmlLite.dll

MD5
2bbd078a08fb020127481b26984d930e

SHA1
6f047ed048a5fd2003418f787355ddaf1f7d5bc9

SHA256
5269caea977276c485ce202c4c3ac3ecb1ba2523a1e612b8d7e0d2f4cc774e53

SHA512
56f6814e59e02d327eb3bbdfa194fe8fea2b1567607f67783e32d5f01ceef9496b3a7346a7af036f6fc7e8445e9e662372785f11993ece7e8c276e4d83a2bd77

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\9cYY\rdrleakdiag.exe

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
memory/436-80-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/436-75-0x0000000000000000-mapping.dmp

Download
memory/436-77-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

Filesize
8KB

Download
memory/624-84-0x0000000000000000-mapping.dmp

Download
memory/624-88-0x0000000140000000-0x000000014009E000-memory.dmp

Filesize
632KB

Download
memory/1224-63-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/1224-66-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1224-67-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1224-65-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1224-64-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1304-92-0x0000000000000000-mapping.dmp

Download
memory/1864-62-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/1864-60-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download