dridex | 7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530

Target

93394d6e_by_Libranalysis.dll
Size

588KB
MD5

93394d6e0ea894922267955095fabbc9
SHA1

38ac582b64fb09f212aceddf5e3cc13946c69985
SHA256

7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
SHA512

aceecbcccd6fe48586d695b0ef04d7d0b998069dbb6545dc9ca96045f896281663027cf048ce2d0f27d0e2990f03c1f592322bfa9bc9776f153d07c6993cc8e7

Score

10^/10

dridex botnet evasion loader persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1832-114-0x0000000140000000-0x000000014009D000-memory.dmp	dridex_ldr
behavioral1/memory/2988-139-0x0000000140000000-0x000000014009E000-memory.dmp	dridex_ldr

Executes dropped EXE 3 IoCs

Processes:

DeviceEnroller.exeLockScreenContentServer.exeNetplwiz.exe

pid process

2988 DeviceEnroller.exe
3576 LockScreenContentServer.exe
1796 Netplwiz.exe
Loads dropped DLL 3 IoCs

Processes:

DeviceEnroller.exeLockScreenContentServer.exeNetplwiz.exe

pid process

2988 DeviceEnroller.exe
3576 LockScreenContentServer.exe
1796 Netplwiz.exe

pid	process
2988	DeviceEnroller.exe
3576	LockScreenContentServer.exe
1796	Netplwiz.exe

pid	process
2988	DeviceEnroller.exe
3576	LockScreenContentServer.exe
1796	Netplwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\RvETQpHvO\\LockScreenContentServer.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDeviceEnroller.exeLockScreenContentServer.exeNetplwiz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
1832	rundll32.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024

pid	process
3024

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

pid process

3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
Suspicious use of SendNotifyMessage 18 IoCs

Processes:

pid process

3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3024

pid	process
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

pid	process
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

pid	process
3024

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3024 wrote to memory of 3876	3024	DeviceEnroller.exe
PID 3024 wrote to memory of 3876	3024	DeviceEnroller.exe
PID 3024 wrote to memory of 2988	3024	DeviceEnroller.exe
PID 3024 wrote to memory of 2988	3024	DeviceEnroller.exe
PID 3024 wrote to memory of 732	3024	LockScreenContentServer.exe
PID 3024 wrote to memory of 732	3024	LockScreenContentServer.exe
PID 3024 wrote to memory of 3576	3024	LockScreenContentServer.exe
PID 3024 wrote to memory of 3576	3024	LockScreenContentServer.exe
PID 3024 wrote to memory of 3852	3024	Netplwiz.exe
PID 3024 wrote to memory of 3852	3024	Netplwiz.exe
PID 3024 wrote to memory of 1796	3024	Netplwiz.exe
PID 3024 wrote to memory of 1796	3024	Netplwiz.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\93394d6e_by_Libranalysis.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:3876

C:\Users\Admin\AppData\Local\mlbHTZS\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\mlbHTZS\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2988

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:732

C:\Users\Admin\AppData\Local\VW8ILl\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\VW8ILl\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3576

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:3852

C:\Users\Admin\AppData\Local\EZ1\Netplwiz.exe
C:\Users\Admin\AppData\Local\EZ1\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EZ1\NETPLWIZ.dll

MD5
7d51a4ca88e2e7f4362716f0575eea6a

SHA1
eea7840855e45340f1eaee7c018258c2bb675a45

SHA256
76289b13bf66d7cd221dc52def5e22d014a1795c79726c1228cc6c659a810a2e

SHA512
220790f0d1c3d07aeb264143b12a1d83fc96041cb533e761180751d5415908a90014b51f891dbd8585b11bd0e3b19782e60e43135024e4c3aa02bbf8f19cd554

Download Submit
C:\Users\Admin\AppData\Local\EZ1\Netplwiz.exe

MD5
a5acd80ecb8474371df9ea90c2276572

SHA1
a0fe5331bcb81aef9b0e0839ba0a71c2dcd78a08

SHA256
211ffe401b62de5ece1b863f3ba1c30279bd4b6a294141c80687005227c09388

SHA512
5e75bef5d25195ebf388ad771d713f80b2147348fc617677a9db9f3d94b65b25da332ef25b6790ac74349aeaefc2a18ae3b9573097f098313d0533f6e7ca9165

Download Submit
C:\Users\Admin\AppData\Local\VW8ILl\LockScreenContentServer.exe

MD5
583914a93db0413668eadd743fd5fb1c

SHA1
8b95be0ad348f0aabfcceac3148109ef12e8a978

SHA256
ec09ee1b2bb981335ea9db3ac031fbbc3ed74f9294d734a5799fb0d75e423583

SHA512
2f5c22cc3f557c65c876e8a943c7b3dec92d5c0b5219ab2410a334f42e442ef08d0c7b1c5c0797b83a17578a25ce70aa631a15be7ec6a6ea8a8d865dca0b9cd4

Download Submit
C:\Users\Admin\AppData\Local\VW8ILl\dwmapi.dll

MD5
38476b039febb0ae8dba6057456874e7

SHA1
eecbe7be8c814934f7b41fa6b9bf13dbd3f77f96

SHA256
1cdc48c2f9a04edb7635e37f488ff3c318c3e18ea3ed9bbb3dad1a6092cd5386

SHA512
368615d8767372cd99aea4ad7825fea8bbb8b018de2838e57e21183898f390aaa17c9fc99277c91f1863457e8c8cf503da885767a1c8de683c449147cfd201e9

Download Submit
C:\Users\Admin\AppData\Local\mlbHTZS\DeviceEnroller.exe

MD5
bd732a3a065f5cca6df003a7ca78bb35

SHA1
449d027d933fdd530a6a27d7c2132f98ee56374a

SHA256
fd5f32939c8de2d80a6f2481268313b5151c21c474c61635c92d2b8ea436955e

SHA512
d1cd727841522be31e979484cdea467501693e1a3bab2fabc72510c73698353c960f7d2c16be9a4406d804da2b2ad7da58827a630f9616ebe296cae481103701

Download Submit
C:\Users\Admin\AppData\Local\mlbHTZS\XmlLite.dll

MD5
c680d56cc2498c007ca161261f1d0537

SHA1
e067761b8dba7e913bdfda1539d0dc4fcfa5793c

SHA256
f6cd8c617302bd47d988f8a084afce454960a54b0058ecad3092bcb242b4ab3b

SHA512
2ec6bdedf9cfc8eff85dbf6393ef6f33312e978e92a1bec2572ccd97135c479285cb189835fb754f91fd03b931fbd216d3f5e3915f5eb915190d4af8e6e84ec2

Download Submit
\Users\Admin\AppData\Local\EZ1\NETPLWIZ.dll

MD5
7d51a4ca88e2e7f4362716f0575eea6a

SHA1
eea7840855e45340f1eaee7c018258c2bb675a45

SHA256
76289b13bf66d7cd221dc52def5e22d014a1795c79726c1228cc6c659a810a2e

SHA512
220790f0d1c3d07aeb264143b12a1d83fc96041cb533e761180751d5415908a90014b51f891dbd8585b11bd0e3b19782e60e43135024e4c3aa02bbf8f19cd554

Download Submit
\Users\Admin\AppData\Local\VW8ILl\dwmapi.dll

MD5
38476b039febb0ae8dba6057456874e7

SHA1
eecbe7be8c814934f7b41fa6b9bf13dbd3f77f96

SHA256
1cdc48c2f9a04edb7635e37f488ff3c318c3e18ea3ed9bbb3dad1a6092cd5386

SHA512
368615d8767372cd99aea4ad7825fea8bbb8b018de2838e57e21183898f390aaa17c9fc99277c91f1863457e8c8cf503da885767a1c8de683c449147cfd201e9

Download Submit
\Users\Admin\AppData\Local\mlbHTZS\XmlLite.dll

MD5
c680d56cc2498c007ca161261f1d0537

SHA1
e067761b8dba7e913bdfda1539d0dc4fcfa5793c

SHA256
f6cd8c617302bd47d988f8a084afce454960a54b0058ecad3092bcb242b4ab3b

SHA512
2ec6bdedf9cfc8eff85dbf6393ef6f33312e978e92a1bec2572ccd97135c479285cb189835fb754f91fd03b931fbd216d3f5e3915f5eb915190d4af8e6e84ec2

Download Submit
memory/1796-155-0x0000000000000000-mapping.dmp

Download
memory/1832-119-0x00000176F6980000-0x00000176F6987000-memory.dmp

Filesize
28KB

Download
memory/1832-114-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2988-139-0x0000000140000000-0x000000014009E000-memory.dmp

Filesize
632KB

Download
memory/2988-135-0x0000000000000000-mapping.dmp

Download
memory/3024-122-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3024-121-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3024-124-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3024-120-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/3024-123-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3024-134-0x00007FFAC9304320-0x00007FFAC9305320-memory.dmp

Filesize
4KB

Download
memory/3576-145-0x0000000000000000-mapping.dmp

Download