dridex | 13aa6bed5b3a656b9c86cc2d397f765779f4a7dff49f73d58bd97e11423e0635

General

Target

dry.dll
Size

1.3MB
MD5

4bec705de3584b911018c84f31659a17
SHA1

b29ff37578ef950b702ec5db59161294c2e1a7b3
SHA256

13aa6bed5b3a656b9c86cc2d397f765779f4a7dff49f73d58bd97e11423e0635
SHA512

5841f5d288fa4496391fa008326d15ac9abc644c07bf970b20fd1ed2719d5ce01c457d84d17fc8025ff801d7aaec371ee2b6504cabab853d02fb6c1ad49ec423

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1292-59-0x00000000026E0000-0x00000000026E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 2 IoCs

Processes:

rdpclip.exesigverif.exe

pid process

1184 rdpclip.exe
1160 sigverif.exe

pid	process
1184	rdpclip.exe
1160	sigverif.exe

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcCYpJXZ
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcCYpJXZ\WINSTA.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dcCYpJXZ\rdpclip.exe

Loads dropped DLL 4 IoCs

Processes:

rdpclip.exesigverif.exe

pid process

1292
1184 rdpclip.exe
1292
1160 sigverif.exe

pid	process
1292
1184	rdpclip.exe
1292
1160	sigverif.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fjgidavujrva = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\hr8X0L\\sigverif.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exesigverif.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerdpclip.exe

pid	process
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1184	rdpclip.exe
1184	rdpclip.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1292

pid	process
1292

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

description	pid	target process
PID 1292 wrote to memory of 1080	1292	rdpclip.exe
PID 1292 wrote to memory of 1080	1292	rdpclip.exe
PID 1292 wrote to memory of 1080	1292	rdpclip.exe
PID 1292 wrote to memory of 1184	1292	rdpclip.exe
PID 1292 wrote to memory of 1184	1292	rdpclip.exe
PID 1292 wrote to memory of 1184	1292	rdpclip.exe
PID 1292 wrote to memory of 1836	1292	sigverif.exe
PID 1292 wrote to memory of 1836	1292	sigverif.exe
PID 1292 wrote to memory of 1836	1292	sigverif.exe
PID 1292 wrote to memory of 1160	1292	sigverif.exe
PID 1292 wrote to memory of 1160	1292	sigverif.exe
PID 1292 wrote to memory of 1160	1292	sigverif.exe
PID 1292 wrote to memory of 832	1292	slui.exe
PID 1292 wrote to memory of 832	1292	slui.exe
PID 1292 wrote to memory of 832	1292	slui.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dry.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:1080

C:\Users\Admin\AppData\Local\w3pwX\rdpclip.exe
C:\Users\Admin\AppData\Local\w3pwX\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1836

C:\Users\Admin\AppData\Local\pM0c4AXUK\sigverif.exe
C:\Users\Admin\AppData\Local\pM0c4AXUK\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1160

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\pM0c4AXUK\VERSION.dll
MD5
78bfc759deaa01c9bc8cc0687cda5d0f

SHA1
c1c8e7a264a145d7857b2967ff05a2b3043afca8

SHA256
5d6d9d025fe0e078053ecc92d2213c0e65930a9fa139dedab6b404246e2c84e8

SHA512
003f03e4eaad36879178ae87e44250d7e8b21899ad285fc4d05f4c84348b89009477fad92c5789fb46eb7d555b96bdf4126488a829ec237e376914dc2f4a7c5e

Download Submit
C:\Users\Admin\AppData\Local\pM0c4AXUK\sigverif.exe
MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
C:\Users\Admin\AppData\Local\w3pwX\WINSTA.dll
MD5
9fecc27aaae29c36e9ee8d54ecdbbefe

SHA1
08adb1116de2dfad2e087d73df143a08bf5c5821

SHA256
74e633d2a6cc4d2bef63ecc6dccc11f03cccebe892bf2d9cec4a27d2a5bd7c05

SHA512
9ee3ccb00bfc8862c1e3f489e364781a9b5fd6aecd1200f00e16774903dcd8f5ec670072da61066ce09555257b1632161e4880f4f4e878c0860d35e7e2f1e601

Download Submit
C:\Users\Admin\AppData\Local\w3pwX\rdpclip.exe
MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Local\pM0c4AXUK\VERSION.dll
MD5
78bfc759deaa01c9bc8cc0687cda5d0f

SHA1
c1c8e7a264a145d7857b2967ff05a2b3043afca8

SHA256
5d6d9d025fe0e078053ecc92d2213c0e65930a9fa139dedab6b404246e2c84e8

SHA512
003f03e4eaad36879178ae87e44250d7e8b21899ad285fc4d05f4c84348b89009477fad92c5789fb46eb7d555b96bdf4126488a829ec237e376914dc2f4a7c5e

Download Submit
\Users\Admin\AppData\Local\pM0c4AXUK\sigverif.exe
MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\w3pwX\WINSTA.dll
MD5
9fecc27aaae29c36e9ee8d54ecdbbefe

SHA1
08adb1116de2dfad2e087d73df143a08bf5c5821

SHA256
74e633d2a6cc4d2bef63ecc6dccc11f03cccebe892bf2d9cec4a27d2a5bd7c05

SHA512
9ee3ccb00bfc8862c1e3f489e364781a9b5fd6aecd1200f00e16774903dcd8f5ec670072da61066ce09555257b1632161e4880f4f4e878c0860d35e7e2f1e601

Download Submit
\Users\Admin\AppData\Local\w3pwX\rdpclip.exe
MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
memory/1160-92-0x000007FEF6FF0000-0x000007FEF7140000-memory.dmp

Filesize
1.3MB

Download
memory/1160-89-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1160-96-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1184-86-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1184-82-0x000007FEF72C0000-0x000007FEF7411000-memory.dmp

Filesize
1.3MB

Download
memory/1192-54-0x000007FEF6C90000-0x000007FEF6DDF000-memory.dmp

Filesize
1.3MB

Download
memory/1192-58-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/1292-65-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-77-0x0000000077E40000-0x0000000077E42000-memory.dmp

Filesize
8KB

Download
memory/1292-76-0x0000000077CE1000-0x0000000077CE2000-memory.dmp

Filesize
4KB

Download
memory/1292-74-0x00000000026C0000-0x00000000026C7000-memory.dmp

Filesize
28KB

Download
memory/1292-72-0x0000000077BD6000-0x0000000077BD7000-memory.dmp

Filesize
4KB

Download
memory/1292-69-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-60-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-68-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-67-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-66-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-64-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-63-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-62-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-61-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1292-59-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads