dridex | d387322be423949b1d8dca385358de9746a7c20a0c4825dfc6af3b76ce4ea16a

General

Target

d387322be423949b1d8dca385358de9746a7c20a0c4825dfc6af3b76ce4ea16a.dll
Size

796KB
MD5

7d5e43ac50d0e4529ca26e371bb9433c
SHA1

86be8f7f47b65e7c17d26cd52fc1ed7ef4ddfe85
SHA256

d387322be423949b1d8dca385358de9746a7c20a0c4825dfc6af3b76ce4ea16a
SHA512

e1156e2660805056c72f996b541a0dfcde1fe391484d809e3359686ff79de041d05816715b9227daef43d01bba0fa1cf1b467a1ad78269a8e4f831fd43b4e5a8
SSDEEP

12288:XBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:x/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3164-3-0x00000000023C0000-0x00000000023C1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/116-1-0x00007FFBFAAD0000-0x00007FFBFAB97000-memory.dmp	dridex_payload
behavioral2/memory/3164-28-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral2/memory/3164-36-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral2/memory/3164-47-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral2/memory/116-50-0x00007FFBFAAD0000-0x00007FFBFAB97000-memory.dmp	dridex_payload
behavioral2/memory/3964-57-0x00007FFBEDAB0000-0x00007FFBEDB78000-memory.dmp	dridex_payload
behavioral2/memory/3964-62-0x00007FFBEDAB0000-0x00007FFBEDB78000-memory.dmp	dridex_payload
behavioral2/memory/3900-73-0x00007FFBEF0E0000-0x00007FFBEF1ED000-memory.dmp	dridex_payload
behavioral2/memory/3900-78-0x00007FFBEF0E0000-0x00007FFBEF1ED000-memory.dmp	dridex_payload
behavioral2/memory/1976-89-0x00007FFBEE570000-0x00007FFBEE67D000-memory.dmp	dridex_payload
behavioral2/memory/1976-94-0x00007FFBEE570000-0x00007FFBEE67D000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemSettingsAdminFlows.exebdechangepin.exeLicensingUI.exe

pid process

3964 SystemSettingsAdminFlows.exe
3900 bdechangepin.exe
1976 LicensingUI.exe
Loads dropped DLL 3 IoCs

Processes:

SystemSettingsAdminFlows.exebdechangepin.exeLicensingUI.exe

pid process

3964 SystemSettingsAdminFlows.exe
3900 bdechangepin.exe
1976 LicensingUI.exe

pid	process
3964	SystemSettingsAdminFlows.exe
3900	bdechangepin.exe
1976	LicensingUI.exe

pid	process
3964	SystemSettingsAdminFlows.exe
3900	bdechangepin.exe
1976	LicensingUI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\8XADRQ~1\\BDECHA~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemSettingsAdminFlows.exebdechangepin.exeLicensingUI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
116	rundll32.exe
116	rundll32.exe
116	rundll32.exe
116	rundll32.exe
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3164

pid	process
3164

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3164 wrote to memory of 968	3164	SystemSettingsAdminFlows.exe
PID 3164 wrote to memory of 968	3164	SystemSettingsAdminFlows.exe
PID 3164 wrote to memory of 3964	3164	SystemSettingsAdminFlows.exe
PID 3164 wrote to memory of 3964	3164	SystemSettingsAdminFlows.exe
PID 3164 wrote to memory of 4032	3164	bdechangepin.exe
PID 3164 wrote to memory of 4032	3164	bdechangepin.exe
PID 3164 wrote to memory of 3900	3164	bdechangepin.exe
PID 3164 wrote to memory of 3900	3164	bdechangepin.exe
PID 3164 wrote to memory of 3228	3164	LicensingUI.exe
PID 3164 wrote to memory of 3228	3164	LicensingUI.exe
PID 3164 wrote to memory of 1976	3164	LicensingUI.exe
PID 3164 wrote to memory of 1976	3164	LicensingUI.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d387322be423949b1d8dca385358de9746a7c20a0c4825dfc6af3b76ce4ea16a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:116

C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
1⤵
PID:968

C:\Users\Admin\AppData\Local\xiqkV\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\xiqkV\SystemSettingsAdminFlows.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3964

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:4032

C:\Users\Admin\AppData\Local\QeRfE9aV\bdechangepin.exe
C:\Users\Admin\AppData\Local\QeRfE9aV\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3900

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:3228

C:\Users\Admin\AppData\Local\9QCT\LicensingUI.exe
C:\Users\Admin\AppData\Local\9QCT\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3496 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9QCT\DUI70.dll
Filesize
1.1MB

MD5
1f50cefa40ea835e4df1e4b141e7c5f6

SHA1
0b7c640ad8cd7a0e74fa5708b46350818c2d36ef

SHA256
37f42121b35cec2d1819e4b46b75c5e9fc094ce7e96bc8c3d87d8123e357deba

SHA512
bb50be297cd01072f121a221d70271bacc30206207f4359eba4ab1558276420f6407dd955ebd03dafd0c7ac8d0431c92d31423106020caea27ad65782c7e5103

Download Submit
C:\Users\Admin\AppData\Local\9QCT\LicensingUI.exe
Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Local\QeRfE9aV\DUI70.dll
Filesize
1.1MB

MD5
4e5b4a0e9d7f776f9e31e3eb7fc44111

SHA1
fa4e46e5f83a2c0ec0cc52ca252b041a6cd3d578

SHA256
84d22aa4196b8a4f47b487a968661b2460171d7180d88786228d90c569221730

SHA512
b9b3c927566029b824a2d12e3adcfeb64933bad5827d5250a5398f65f46e4621a201cc81f58c8f01476156b85c31db46ddc2999e389b04629dbc3071b2b46fb2

Download Submit
C:\Users\Admin\AppData\Local\QeRfE9aV\bdechangepin.exe
Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Local\xiqkV\SystemSettingsAdminFlows.exe
Filesize
506KB

MD5
50adb2c7c145c729b9de8b7cf967dd24

SHA1
a31757f08da6f95156777c1132b6d5f1db3d8f30

SHA256
a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

SHA512
715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

Download Submit
C:\Users\Admin\AppData\Local\xiqkV\newdev.dll
Filesize
800KB

MD5
2f07389bc5ef7a56e5e8b9cb16224782

SHA1
b52e17e8d01576e34aa9e5ff71eb74a5f2d6f2cf

SHA256
e1ec752167bbb9d55de587aff016267a078d4cfcc325be174e8f55dfe5bdf9c7

SHA512
b4fef043469933f57b68fad19b4ab15ca8e8ff028ab2a6db4756368c8c889716bdd5062febb496bdeece3d3b3acb9acab6a68e3eb09455a8f65f9b1e15b5d959

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk
Filesize
1KB

MD5
49c9d27601fd801d55ad220f6e08a999

SHA1
e1ad004af281f53444410a781ed81ccbefef1bcf

SHA256
8a41b76b3afdab59fdbcb9ab8fc94ff654234188ff5ee6b5e4dade0cda910ce1

SHA512
cccade1897923550d964ff9a84f344cb3cc466bba69a931d43be2d187ad0367bc04c1f813d4643c7065f310f3925f05a111709ef225155eb407490ae7dbd9f71

Download Submit
memory/116-0-0x000002B782B60000-0x000002B782B67000-memory.dmp

Filesize
28KB

Download
memory/116-1-0x00007FFBFAAD0000-0x00007FFBFAB97000-memory.dmp

Filesize
796KB

Download
memory/116-50-0x00007FFBFAAD0000-0x00007FFBFAB97000-memory.dmp

Filesize
796KB

Download
memory/1976-90-0x0000029128C20000-0x0000029128C27000-memory.dmp

Filesize
28KB

Download
memory/1976-89-0x00007FFBEE570000-0x00007FFBEE67D000-memory.dmp

Filesize
1.1MB

Download
memory/1976-94-0x00007FFBEE570000-0x00007FFBEE67D000-memory.dmp

Filesize
1.1MB

Download
memory/3164-26-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-38-0x00007FFC0E570000-0x00007FFC0E580000-memory.dmp

Filesize
64KB

Download
memory/3164-17-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-19-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-20-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-22-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-21-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-23-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-24-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-18-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-25-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-16-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-27-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-29-0x0000000000560000-0x0000000000567000-memory.dmp

Filesize
28KB

Download
memory/3164-28-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-36-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-37-0x00007FFC0E580000-0x00007FFC0E590000-memory.dmp

Filesize
64KB

Download
memory/3164-15-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-47-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-14-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-13-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-12-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-3-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3164-5-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-7-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-6-0x00007FFC0C71A000-0x00007FFC0C71B000-memory.dmp

Filesize
4KB

Download
memory/3164-11-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-8-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-9-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3164-10-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3900-78-0x00007FFBEF0E0000-0x00007FFBEF1ED000-memory.dmp

Filesize
1.1MB

Download
memory/3900-74-0x000001C97AAC0000-0x000001C97AAC7000-memory.dmp

Filesize
28KB

Download
memory/3900-73-0x00007FFBEF0E0000-0x00007FFBEF1ED000-memory.dmp

Filesize
1.1MB

Download
memory/3964-62-0x00007FFBEDAB0000-0x00007FFBEDB78000-memory.dmp

Filesize
800KB

Download
memory/3964-58-0x000001777F2E0000-0x000001777F2E7000-memory.dmp

Filesize
28KB

Download
memory/3964-57-0x00007FFBEDAB0000-0x00007FFBEDB78000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads