dridex | 3854e2d5c27f65abbdd248803bb77934a30e8ad4b8d270fd8ab20b68ab3c873f

General

Target

3854e2d5c27f65abbdd248803bb77934a30e8ad4b8d270fd8ab20b68ab3c873f.dll
Size

1.0MB
MD5

9143a899f20d2f4966d37b26f0f6995d
SHA1

c4bc31b82e53da1a04c7f872f3a9b5a7e7655594
SHA256

3854e2d5c27f65abbdd248803bb77934a30e8ad4b8d270fd8ab20b68ab3c873f
SHA512

0f92bae3982ef235a3406eac0f1873b9414cd9eb3c94edc5f4b77d2689325bd8afb75ca3dc6c3b4d574cfeefe9e6ffea778e8d8351f0bfc7be625c0f98f8c5bd
SSDEEP

12288:0Bim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN+:Q/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3452-3-0x0000000003670000-0x0000000003671000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1628-0-0x00007FF9532E0000-0x00007FF9533E8000-memory.dmp	dridex_payload
behavioral2/memory/3452-29-0x0000000140000000-0x0000000140108000-memory.dmp	dridex_payload
behavioral2/memory/3452-36-0x0000000140000000-0x0000000140108000-memory.dmp	dridex_payload
behavioral2/memory/3452-47-0x0000000140000000-0x0000000140108000-memory.dmp	dridex_payload
behavioral2/memory/1628-50-0x00007FF9532E0000-0x00007FF9533E8000-memory.dmp	dridex_payload
behavioral2/memory/3084-57-0x00007FF944790000-0x00007FF9448DE000-memory.dmp	dridex_payload
behavioral2/memory/3084-62-0x00007FF944790000-0x00007FF9448DE000-memory.dmp	dridex_payload
behavioral2/memory/2928-75-0x00007FF944740000-0x00007FF94488E000-memory.dmp	dridex_payload
behavioral2/memory/2928-80-0x00007FF944740000-0x00007FF94488E000-memory.dmp	dridex_payload
behavioral2/memory/3776-91-0x00007FF944640000-0x00007FF944749000-memory.dmp	dridex_payload
behavioral2/memory/3776-96-0x00007FF944640000-0x00007FF944749000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

LicensingUI.exeSysResetErr.exeRecoveryDrive.exe

pid process

3084 LicensingUI.exe
2928 SysResetErr.exe
3776 RecoveryDrive.exe
Loads dropped DLL 3 IoCs

Processes:

LicensingUI.exeSysResetErr.exeRecoveryDrive.exe

pid process

3084 LicensingUI.exe
2928 SysResetErr.exe
3776 RecoveryDrive.exe

pid	process
3084	LicensingUI.exe
2928	SysResetErr.exe
3776	RecoveryDrive.exe

pid	process
3084	LicensingUI.exe
2928	SysResetErr.exe
3776	RecoveryDrive.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iqmkzginatp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\aqPSMCnmd01\\SysResetErr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RecoveryDrive.exerundll32.exeLicensingUI.exeSysResetErr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RecoveryDrive.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3452
3452
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3452

pid	process
3452
3452

pid	process
3452

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3452 wrote to memory of 3916	3452	LicensingUI.exe
PID 3452 wrote to memory of 3916	3452	LicensingUI.exe
PID 3452 wrote to memory of 3084	3452	LicensingUI.exe
PID 3452 wrote to memory of 3084	3452	LicensingUI.exe
PID 3452 wrote to memory of 3640	3452	SysResetErr.exe
PID 3452 wrote to memory of 3640	3452	SysResetErr.exe
PID 3452 wrote to memory of 2928	3452	SysResetErr.exe
PID 3452 wrote to memory of 2928	3452	SysResetErr.exe
PID 3452 wrote to memory of 1860	3452	RecoveryDrive.exe
PID 3452 wrote to memory of 1860	3452	RecoveryDrive.exe
PID 3452 wrote to memory of 3776	3452	RecoveryDrive.exe
PID 3452 wrote to memory of 3776	3452	RecoveryDrive.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3854e2d5c27f65abbdd248803bb77934a30e8ad4b8d270fd8ab20b68ab3c873f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:3916

C:\Users\Admin\AppData\Local\qap7AL\LicensingUI.exe
C:\Users\Admin\AppData\Local\qap7AL\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3084

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:3640

C:\Users\Admin\AppData\Local\K9FIF1QDG\SysResetErr.exe
C:\Users\Admin\AppData\Local\K9FIF1QDG\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2928

C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
1⤵
PID:1860

C:\Users\Admin\AppData\Local\Yh2o\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\Yh2o\RecoveryDrive.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\K9FIF1QDG\DUI70.dll
Filesize
1.3MB

MD5
d6f7e868150b8108bf4900ba36b6933d

SHA1
64a12f531d3403598cb172bb8a305e8149d4ac54

SHA256
8331dba9794d1ee887660944636837949c6db61944e2d856b2193df40e2acc6e

SHA512
64466684d3a87213f6d8dbba376c098bc3d30b301f88ac521513384ba09f6e4526c875ae82d8b61b0424ef66da6c6b24256ac1b8c5be7de628c4ea3cfcd3741d

Download Submit
C:\Users\Admin\AppData\Local\K9FIF1QDG\SysResetErr.exe
Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\Yh2o\RecoveryDrive.exe
Filesize
911KB

MD5
b9b3dc6f2eb89e41ff27400952602c74

SHA1
24ae07e0db3ace0809d08bbd039db3a9d533e81b

SHA256
630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

SHA512
7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

Download Submit
C:\Users\Admin\AppData\Local\Yh2o\UxTheme.dll
Filesize
1.0MB

MD5
4af876ebfe6278fa55b391f528cb06b2

SHA1
b745865aaed57b222d26123a7ce04909fb42ccb4

SHA256
e7af9d23dd69d7467b217dc211580dbba4ac3b90b156909a27e363b79956f2c5

SHA512
c6e9985a02eeeb5ea00d76a19a47d783f14fe06b5387cbc61655552ab31452a10d1126d100bfd83e59aefc0a26993c2cfcecef6d468ca6b1857b1834e73d20a2

Download Submit
C:\Users\Admin\AppData\Local\qap7AL\DUI70.dll
Filesize
1.3MB

MD5
d67d8b616d57a9292a6bafddbfaee46f

SHA1
d460c8f6b35afd0659f6bfbd707c7c478a07f6da

SHA256
1d96bac13fffee66cf39df1320f63c073df38904d4c8e29f17c4e9498bef35d9

SHA512
c99eb9b8876c11fc1dba89e2e04610e12d6390cbb4e1f6f658f8b4e118ade2f22215fa8841f5932a2e45131bfd8ea5a880e3cb28ef3e4b9eb510180a4e5f6f08

Download Submit
C:\Users\Admin\AppData\Local\qap7AL\LicensingUI.exe
Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jnsvybh.lnk
Filesize
1KB

MD5
5175784b25fc299dd2dc8853720feed0

SHA1
85a96b93a1e1e167e7b091cb33b71aef32179ca6

SHA256
185e129fefb93f6ef183db6b79f12efa22915db8bba369acb1466a093f73122d

SHA512
5da388a4f11742cd3e90dbe7dd7f7376f31c6a7a6c21275126da035e75c87654b5eef436145ccabe7a853460fa7f54dc09c10a2b6fa3ace413c7bdc0a768c533

Download Submit
memory/1628-0-0x00007FF9532E0000-0x00007FF9533E8000-memory.dmp

Filesize
1.0MB

Download
memory/1628-1-0x000001E125EA0000-0x000001E125EA7000-memory.dmp

Filesize
28KB

Download
memory/1628-50-0x00007FF9532E0000-0x00007FF9533E8000-memory.dmp

Filesize
1.0MB

Download
memory/2928-75-0x00007FF944740000-0x00007FF94488E000-memory.dmp

Filesize
1.3MB

Download
memory/2928-76-0x00000185291A0000-0x00000185291A7000-memory.dmp

Filesize
28KB

Download
memory/2928-80-0x00007FF944740000-0x00007FF94488E000-memory.dmp

Filesize
1.3MB

Download
memory/3084-62-0x00007FF944790000-0x00007FF9448DE000-memory.dmp

Filesize
1.3MB

Download
memory/3084-57-0x00007FF944790000-0x00007FF9448DE000-memory.dmp

Filesize
1.3MB

Download
memory/3084-58-0x000002E063C80000-0x000002E063C87000-memory.dmp

Filesize
28KB

Download
memory/3452-14-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-17-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-21-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-19-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-22-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-23-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-24-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-26-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-25-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-27-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-28-0x0000000003650000-0x0000000003657000-memory.dmp

Filesize
28KB

Download
memory/3452-29-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-36-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-37-0x00007FF961F40000-0x00007FF961F50000-memory.dmp

Filesize
64KB

Download
memory/3452-38-0x00007FF961F30000-0x00007FF961F40000-memory.dmp

Filesize
64KB

Download
memory/3452-47-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-18-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-20-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-16-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-15-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-13-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-12-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-11-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-7-0x00007FF960D3A000-0x00007FF960D3B000-memory.dmp

Filesize
4KB

Download
memory/3452-10-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-9-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-8-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-6-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-5-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/3452-3-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/3776-93-0x0000025EC0AC0000-0x0000025EC0AC7000-memory.dmp

Filesize
28KB

Download
memory/3776-96-0x00007FF944640000-0x00007FF944749000-memory.dmp

Filesize
1.0MB

Download
memory/3776-91-0x00007FF944640000-0x00007FF944749000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads