dridex | d387322be423949b1d8dca385358de9746a7c20a0c4825dfc6af3b76ce4ea16a

General

Target

d387322be423949b1d8dca385358de9746a7c20a0c4825dfc6af3b76ce4ea16a.dll
Size

796KB
MD5

7d5e43ac50d0e4529ca26e371bb9433c
SHA1

86be8f7f47b65e7c17d26cd52fc1ed7ef4ddfe85
SHA256

d387322be423949b1d8dca385358de9746a7c20a0c4825dfc6af3b76ce4ea16a
SHA512

e1156e2660805056c72f996b541a0dfcde1fe391484d809e3359686ff79de041d05816715b9227daef43d01bba0fa1cf1b467a1ad78269a8e4f831fd43b4e5a8
SSDEEP

12288:XBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:x/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2764-1-0x000007FEF6AB0000-0x000007FEF6B77000-memory.dmp	dridex_payload
behavioral1/memory/1208-29-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral1/memory/1208-36-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral1/memory/1208-48-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral1/memory/1208-47-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral1/memory/2764-56-0x000007FEF6AB0000-0x000007FEF6B77000-memory.dmp	dridex_payload
behavioral1/memory/2528-65-0x000007FEF6B80000-0x000007FEF6C48000-memory.dmp	dridex_payload
behavioral1/memory/2528-69-0x000007FEF6B80000-0x000007FEF6C48000-memory.dmp	dridex_payload
behavioral1/memory/2416-82-0x000007FEF64F0000-0x000007FEF65B8000-memory.dmp	dridex_payload
behavioral1/memory/2416-87-0x000007FEF64F0000-0x000007FEF65B8000-memory.dmp	dridex_payload
behavioral1/memory/1044-106-0x000007FEF64F0000-0x000007FEF65B8000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rdpinit.exeSystemPropertiesDataExecutionPrevention.exeBitLockerWizardElev.exe

pid process

2528 rdpinit.exe
2416 SystemPropertiesDataExecutionPrevention.exe
1044 BitLockerWizardElev.exe
Loads dropped DLL 7 IoCs

Processes:

rdpinit.exeSystemPropertiesDataExecutionPrevention.exeBitLockerWizardElev.exe

pid process

1208
2528 rdpinit.exe
1208
2416 SystemPropertiesDataExecutionPrevention.exe
1208
1044 BitLockerWizardElev.exe
1208

pid	process
2528	rdpinit.exe
2416	SystemPropertiesDataExecutionPrevention.exe
1044	BitLockerWizardElev.exe

pid	process
1208
2528	rdpinit.exe
1208
2416	SystemPropertiesDataExecutionPrevention.exe
1208
1044	BitLockerWizardElev.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\dF6KiSj\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinit.exeSystemPropertiesDataExecutionPrevention.exeBitLockerWizardElev.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 2496	1208	rdpinit.exe
PID 1208 wrote to memory of 2496	1208	rdpinit.exe
PID 1208 wrote to memory of 2496	1208	rdpinit.exe
PID 1208 wrote to memory of 2528	1208	rdpinit.exe
PID 1208 wrote to memory of 2528	1208	rdpinit.exe
PID 1208 wrote to memory of 2528	1208	rdpinit.exe
PID 1208 wrote to memory of 2160	1208	SystemPropertiesDataExecutionPrevention.exe
PID 1208 wrote to memory of 2160	1208	SystemPropertiesDataExecutionPrevention.exe
PID 1208 wrote to memory of 2160	1208	SystemPropertiesDataExecutionPrevention.exe
PID 1208 wrote to memory of 2416	1208	SystemPropertiesDataExecutionPrevention.exe
PID 1208 wrote to memory of 2416	1208	SystemPropertiesDataExecutionPrevention.exe
PID 1208 wrote to memory of 2416	1208	SystemPropertiesDataExecutionPrevention.exe
PID 1208 wrote to memory of 3008	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 3008	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 3008	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 1044	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 1044	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 1044	1208	BitLockerWizardElev.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d387322be423949b1d8dca385358de9746a7c20a0c4825dfc6af3b76ce4ea16a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2496

C:\Users\Admin\AppData\Local\nfR9QRI\rdpinit.exe
C:\Users\Admin\AppData\Local\nfR9QRI\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2528

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2160

C:\Users\Admin\AppData\Local\bFT\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\bFT\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2416

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:3008

C:\Users\Admin\AppData\Local\DZKIxVyk\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\DZKIxVyk\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1044

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DZKIxVyk\FVEWIZ.dll
Filesize
800KB

MD5
21275241361b488598a6e6c8bc3aad0a

SHA1
6ae87565da179ea8669790f95fdfb4b2b2828c61

SHA256
c17270299cc70f52c4d86aaa35a389e56fd9c3d2ab853c8ff65927566794caa8

SHA512
8c2aa9cd6c7cb6f1e11d5e249d09f9fb764c2c82d93aa348852d950359920491311e9f61e0beb146bf57593acd5369d849047744563eafafc1a49aeb0a52d5d0

Download Submit
C:\Users\Admin\AppData\Local\bFT\SYSDM.CPL
Filesize
800KB

MD5
97bce34512b55e035fb129e2741755e5

SHA1
5989e965ed53efd260e7fcdb068d0941a70f098f

SHA256
505c42a95b261412b2fb954cfbd245d00481037f39ff2ba72a017e0f71ee5004

SHA512
00f6f90e7966910d7670370b002e7a9d1fe666d6e78a7b87c402a377e1518b6cca9eee48091c07279f94fd283df84067589147ff9a6b45f588124649cf9956dc

Download Submit
C:\Users\Admin\AppData\Local\nfR9QRI\WTSAPI32.dll
Filesize
800KB

MD5
8e98cd9c96d3228e936052a626575ebf

SHA1
239801e6ba080163eaa3dc424a9722b579be03a5

SHA256
8d586ec32bad24b955b2d1841061571e83c735764aa1d1a38f3dd6447dbc80d7

SHA512
32093394123ecf6c79392c08e9a5a6c2a7c30e4e45d588951b2ff679f99be2deb8b2d1eb91f8981a3b7b8e0222d83b2cf853aa8a893e3df26c91b2e2d181bdff

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
2a0d62dc85ec19fd91f2099b6fbd7f20

SHA1
5f058a34fb7cace6c725b543383f98c5e547efb5

SHA256
66641d627cfa99bd6f53b3f1b9749798f4414c0840831fc40f9186c823dfa965

SHA512
45358187fed856512c55fa44e51501a11dddd78aab878e1f59ca696e78181a5e2d5668a1dc0385122716d4549d6a51d560c5d88bd29b4f8dee4edbd1f616a45b

Download Submit
\Users\Admin\AppData\Local\DZKIxVyk\BitLockerWizardElev.exe
Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\bFT\SystemPropertiesDataExecutionPrevention.exe
Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
\Users\Admin\AppData\Local\nfR9QRI\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
memory/1044-106-0x000007FEF64F0000-0x000007FEF65B8000-memory.dmp

Filesize
800KB

Download
memory/1044-102-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1208-28-0x0000000001C70000-0x0000000001C77000-memory.dmp

Filesize
28KB

Download
memory/1208-37-0x0000000077560000-0x0000000077562000-memory.dmp

Filesize
8KB

Download
memory/1208-13-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-14-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-15-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-16-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-17-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-18-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-19-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-20-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-22-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-23-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-25-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-26-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-29-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-11-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-27-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-24-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-21-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-36-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-38-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download
memory/1208-12-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-48-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-47-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-3-0x00000000772F6000-0x00000000772F7000-memory.dmp

Filesize
4KB

Download
memory/1208-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/1208-6-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-10-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-9-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-7-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-8-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/1208-80-0x00000000772F6000-0x00000000772F7000-memory.dmp

Filesize
4KB

Download
memory/2416-87-0x000007FEF64F0000-0x000007FEF65B8000-memory.dmp

Filesize
800KB

Download
memory/2416-83-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2416-82-0x000007FEF64F0000-0x000007FEF65B8000-memory.dmp

Filesize
800KB

Download
memory/2528-69-0x000007FEF6B80000-0x000007FEF6C48000-memory.dmp

Filesize
800KB

Download
memory/2528-65-0x000007FEF6B80000-0x000007FEF6C48000-memory.dmp

Filesize
800KB

Download
memory/2528-64-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2764-1-0x000007FEF6AB0000-0x000007FEF6B77000-memory.dmp

Filesize
796KB

Download
memory/2764-0-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2764-56-0x000007FEF6AB0000-0x000007FEF6B77000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads