dridex | 3854e2d5c27f65abbdd248803bb77934a30e8ad4b8d270fd8ab20b68ab3c873f

General

Target

3854e2d5c27f65abbdd248803bb77934a30e8ad4b8d270fd8ab20b68ab3c873f.dll
Size

1.0MB
MD5

9143a899f20d2f4966d37b26f0f6995d
SHA1

c4bc31b82e53da1a04c7f872f3a9b5a7e7655594
SHA256

3854e2d5c27f65abbdd248803bb77934a30e8ad4b8d270fd8ab20b68ab3c873f
SHA512

0f92bae3982ef235a3406eac0f1873b9414cd9eb3c94edc5f4b77d2689325bd8afb75ca3dc6c3b4d574cfeefe9e6ffea778e8d8351f0bfc7be625c0f98f8c5bd
SSDEEP

12288:0Bim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN+:Q/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1228-4-0x00000000029E0000-0x00000000029E1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2984-1-0x000007FEF6A00000-0x000007FEF6B08000-memory.dmp	dridex_payload
behavioral1/memory/1228-28-0x0000000140000000-0x0000000140108000-memory.dmp	dridex_payload
behavioral1/memory/1228-36-0x0000000140000000-0x0000000140108000-memory.dmp	dridex_payload
behavioral1/memory/1228-47-0x0000000140000000-0x0000000140108000-memory.dmp	dridex_payload
behavioral1/memory/1228-48-0x0000000140000000-0x0000000140108000-memory.dmp	dridex_payload
behavioral1/memory/2984-56-0x000007FEF6A00000-0x000007FEF6B08000-memory.dmp	dridex_payload
behavioral1/memory/2448-65-0x000007FEF7100000-0x000007FEF7209000-memory.dmp	dridex_payload
behavioral1/memory/2448-69-0x000007FEF7100000-0x000007FEF7209000-memory.dmp	dridex_payload
behavioral1/memory/2912-81-0x000007FEF6A00000-0x000007FEF6B09000-memory.dmp	dridex_payload
behavioral1/memory/2912-87-0x000007FEF6A00000-0x000007FEF6B09000-memory.dmp	dridex_payload
behavioral1/memory/2388-103-0x000007FEF6A00000-0x000007FEF6B0A000-memory.dmp	dridex_payload
behavioral1/memory/2388-110-0x000007FEF6A00000-0x000007FEF6B0A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesHardware.exewextract.exemstsc.exe

pid process

2448 SystemPropertiesHardware.exe
2912 wextract.exe
2388 mstsc.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesHardware.exewextract.exemstsc.exe

pid process

1228
2448 SystemPropertiesHardware.exe
1228
2912 wextract.exe
1228
2388 mstsc.exe
1228

pid	process
2448	SystemPropertiesHardware.exe
2912	wextract.exe
2388	mstsc.exe

pid	process
1228
2448	SystemPropertiesHardware.exe
1228
2912	wextract.exe
1228
2388	mstsc.exe
1228

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ptbza = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\v6vzgcj\\wextract.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesHardware.exewextract.exemstsc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1228 wrote to memory of 2412	1228	SystemPropertiesHardware.exe
PID 1228 wrote to memory of 2412	1228	SystemPropertiesHardware.exe
PID 1228 wrote to memory of 2412	1228	SystemPropertiesHardware.exe
PID 1228 wrote to memory of 2448	1228	SystemPropertiesHardware.exe
PID 1228 wrote to memory of 2448	1228	SystemPropertiesHardware.exe
PID 1228 wrote to memory of 2448	1228	SystemPropertiesHardware.exe
PID 1228 wrote to memory of 2520	1228	wextract.exe
PID 1228 wrote to memory of 2520	1228	wextract.exe
PID 1228 wrote to memory of 2520	1228	wextract.exe
PID 1228 wrote to memory of 2912	1228	wextract.exe
PID 1228 wrote to memory of 2912	1228	wextract.exe
PID 1228 wrote to memory of 2912	1228	wextract.exe
PID 1228 wrote to memory of 2664	1228	mstsc.exe
PID 1228 wrote to memory of 2664	1228	mstsc.exe
PID 1228 wrote to memory of 2664	1228	mstsc.exe
PID 1228 wrote to memory of 2388	1228	mstsc.exe
PID 1228 wrote to memory of 2388	1228	mstsc.exe
PID 1228 wrote to memory of 2388	1228	mstsc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3854e2d5c27f65abbdd248803bb77934a30e8ad4b8d270fd8ab20b68ab3c873f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:2412

C:\Users\Admin\AppData\Local\zfxhpn\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\zfxhpn\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2448

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2520

C:\Users\Admin\AppData\Local\OxcmF\wextract.exe
C:\Users\Admin\AppData\Local\OxcmF\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2912

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:2664

C:\Users\Admin\AppData\Local\RcuI0\mstsc.exe
C:\Users\Admin\AppData\Local\RcuI0\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2388

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OxcmF\VERSION.dll
Filesize
1.0MB

MD5
ca88f353863efba32f98313e4a44eb84

SHA1
dc26de2de76bb9858b109057d3d83cff91fcc8bd

SHA256
e8b040ec0311b3eb6d712f4c547fe018c69e8f4881fb7e6de80fd520e7013552

SHA512
8d814e4d60374d38930576013485b0082c1078da0ff1ec6da57db6b639ea17e7fa729977ee00126c53a0a8c039a05d8ae3b488d2a50fa884715df0720e96ec23

Download Submit
C:\Users\Admin\AppData\Local\RcuI0\WINMM.dll
Filesize
1.0MB

MD5
8298a266c462d2495a3c48d4d69fe143

SHA1
232a7d261a6e525c33de97d08647a60498ad7f96

SHA256
514316268c6c8b1c5b4194914e921144b518ba623e32f78e28ca78e91f135091

SHA512
41f3315f6d97d924d0fcb0ce5ca0271932febb2482f776d318135a761b108fc05b49edca08179acb4d7562c1968ce5d578a85f0b58a1b84fd20448c7c812266d

Download Submit
C:\Users\Admin\AppData\Local\RcuI0\mstsc.exe
Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
C:\Users\Admin\AppData\Local\zfxhpn\SYSDM.CPL
Filesize
1.0MB

MD5
10ed51759a0719747a13f8bc046b24c5

SHA1
a7c518ca98737501a7e9a0b0e38cf198329044de

SHA256
75339f41b894d397fafb1a79bfb2c4bb8447bda021158e744b7ecfc2ad92a5c0

SHA512
065d7be967f15caf74b30bc116d989ea75ea161885a13d062a354a961f013491825cc3fe973c03085c4b0181aafbd61a1646cb1f4b47ac2e79b617a98ffa8ad7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygproaoszn.lnk
Filesize
1KB

MD5
7cbe606ae9afdc712968dfe608675ee6

SHA1
0ff4dfd03979104b67d64ebd18bf24154446aa8e

SHA256
731664679328a2d31c453d97e498a623b578209ab669e24861b32614ea81f830

SHA512
c9710c551eefafb718cf2f78386a2d4254ba58a4047e33749e6095f46e875f6eddd31019fa2720b13076a186129cf6a7edc4651a813f719b12be6ad3a67cdfd1

Download Submit
\Users\Admin\AppData\Local\OxcmF\wextract.exe
Filesize
140KB

MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
\Users\Admin\AppData\Local\zfxhpn\SystemPropertiesHardware.exe
Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
memory/1228-25-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-36-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-8-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-15-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-16-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-14-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-13-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-12-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-18-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-17-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-20-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-21-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-19-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-22-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-23-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-24-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-26-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-11-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-27-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-28-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-29-0x00000000029B0000-0x00000000029B7000-memory.dmp

Filesize
28KB

Download
memory/1228-9-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-37-0x0000000077B20000-0x0000000077B22000-memory.dmp

Filesize
8KB

Download
memory/1228-38-0x0000000077B50000-0x0000000077B52000-memory.dmp

Filesize
8KB

Download
memory/1228-47-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-48-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-3-0x00000000777B6000-0x00000000777B7000-memory.dmp

Filesize
4KB

Download
memory/1228-4-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1228-6-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-10-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-7-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1228-83-0x00000000777B6000-0x00000000777B7000-memory.dmp

Filesize
4KB

Download
memory/2388-103-0x000007FEF6A00000-0x000007FEF6B0A000-memory.dmp

Filesize
1.0MB

Download
memory/2388-105-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2388-110-0x000007FEF6A00000-0x000007FEF6B0A000-memory.dmp

Filesize
1.0MB

Download
memory/2448-69-0x000007FEF7100000-0x000007FEF7209000-memory.dmp

Filesize
1.0MB

Download
memory/2448-64-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2448-65-0x000007FEF7100000-0x000007FEF7209000-memory.dmp

Filesize
1.0MB

Download
memory/2912-81-0x000007FEF6A00000-0x000007FEF6B09000-memory.dmp

Filesize
1.0MB

Download
memory/2912-84-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2912-87-0x000007FEF6A00000-0x000007FEF6B09000-memory.dmp

Filesize
1.0MB

Download
memory/2984-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2984-1-0x000007FEF6A00000-0x000007FEF6B08000-memory.dmp

Filesize
1.0MB

Download
memory/2984-56-0x000007FEF6A00000-0x000007FEF6B08000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads