dridex | 5e8681d346f5ccaf1626cfc6d89c697e22de14a91644f71ea4217c88fe0e47f9

General

Target

5e8681d346f5ccaf1626cfc6d89c697e22de14a91644f71ea4217c88fe0e47f9.dll
Size

1.0MB
MD5

51a75f6aeda5db4e23cb7ca20e26c2c9
SHA1

c0f4e297aa0e2ec7ce340f0e33778d0345e88028
SHA256

5e8681d346f5ccaf1626cfc6d89c697e22de14a91644f71ea4217c88fe0e47f9
SHA512

c815ca336be0635096323df11a166985915990936e601af39ed222caa0a56fd204193c69895d7ad4174e3daf5df9d4e267b5dde8d5dcf7797722c36e7390078d
SSDEEP

12288:C38uea4w46+K1FZPfxyMs2SRXTajPomqkpyrJXy6mfvHELWUbxdewWRa7CkhkgjS:g8uea4w467D5/0ypyFYELW8xFZmMXJZ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1220-4-0x0000000002E10000-0x0000000002E11000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1288-0-0x0000000140000000-0x0000000140109000-memory.dmp	dridex_payload
behavioral1/memory/1220-36-0x0000000140000000-0x0000000140109000-memory.dmp	dridex_payload
behavioral1/memory/1220-47-0x0000000140000000-0x0000000140109000-memory.dmp	dridex_payload
behavioral1/memory/1288-53-0x0000000140000000-0x0000000140109000-memory.dmp	dridex_payload
behavioral1/memory/1220-54-0x0000000140000000-0x0000000140109000-memory.dmp	dridex_payload
behavioral1/memory/2600-65-0x0000000140000000-0x000000014010A000-memory.dmp	dridex_payload
behavioral1/memory/2600-69-0x0000000140000000-0x000000014010A000-memory.dmp	dridex_payload
behavioral1/memory/2740-90-0x0000000140000000-0x000000014010A000-memory.dmp	dridex_payload
behavioral1/memory/1660-102-0x0000000140000000-0x000000014010B000-memory.dmp	dridex_payload
behavioral1/memory/1660-105-0x0000000140000000-0x000000014010B000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

slui.exewscript.exexpsrchvw.exe

pid process

2600 slui.exe
2740 wscript.exe
1660 xpsrchvw.exe
Loads dropped DLL 8 IoCs

Processes:

slui.exewscript.exexpsrchvw.exe

pid process

1220
2600 slui.exe
1220
1220
2740 wscript.exe
1220
1660 xpsrchvw.exe
1220

pid	process
2600	slui.exe
2740	wscript.exe
1660	xpsrchvw.exe

pid	process
1220
2600	slui.exe
1220
1220
2740	wscript.exe
1220
1660	xpsrchvw.exe
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\0V\\wscript.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

slui.exewscript.exexpsrchvw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeslui.exe

pid	process
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
2600	slui.exe
2600	slui.exe
1220
1220

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1220 wrote to memory of 2492	1220	slui.exe
PID 1220 wrote to memory of 2492	1220	slui.exe
PID 1220 wrote to memory of 2492	1220	slui.exe
PID 1220 wrote to memory of 2600	1220	slui.exe
PID 1220 wrote to memory of 2600	1220	slui.exe
PID 1220 wrote to memory of 2600	1220	slui.exe
PID 1220 wrote to memory of 2608	1220	wscript.exe
PID 1220 wrote to memory of 2608	1220	wscript.exe
PID 1220 wrote to memory of 2608	1220	wscript.exe
PID 1220 wrote to memory of 2740	1220	wscript.exe
PID 1220 wrote to memory of 2740	1220	wscript.exe
PID 1220 wrote to memory of 2740	1220	wscript.exe
PID 1220 wrote to memory of 2204	1220	xpsrchvw.exe
PID 1220 wrote to memory of 2204	1220	xpsrchvw.exe
PID 1220 wrote to memory of 2204	1220	xpsrchvw.exe
PID 1220 wrote to memory of 1660	1220	xpsrchvw.exe
PID 1220 wrote to memory of 1660	1220	xpsrchvw.exe
PID 1220 wrote to memory of 1660	1220	xpsrchvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e8681d346f5ccaf1626cfc6d89c697e22de14a91644f71ea4217c88fe0e47f9.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2492

C:\Users\Admin\AppData\Local\eTd1yjln\slui.exe
C:\Users\Admin\AppData\Local\eTd1yjln\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\csV1f\wscript.exe
C:\Users\Admin\AppData\Local\csV1f\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2740

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2204

C:\Users\Admin\AppData\Local\gn1GxiAK\xpsrchvw.exe
C:\Users\Admin\AppData\Local\gn1GxiAK\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1660

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\csV1f\VERSION.dll
Filesize
1.0MB

MD5
0f91bc2b26a480d09aebd35f6c70cb6f

SHA1
f7a0000ae4c9dd33beb5457c7a54749c49a7940b

SHA256
d98dadef264192528d92ae2552d51be6068cf691c821957f8fa5d3eb5d7ec73c

SHA512
d5d2261d9694ab98f4074228fa859cdedd0fd50843b836209a594c02c2dbba336b90ad75587d2fb4bef7f0ce65050cc6fae7d0507a38202303c3b62abd02370b

Download Submit
C:\Users\Admin\AppData\Local\eTd1yjln\slui.exe
Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
C:\Users\Admin\AppData\Local\gn1GxiAK\WINMM.dll
Filesize
1.0MB

MD5
491d523367904dfc6ffce31ca3826f1f

SHA1
3f9efddfd1897ab3498f493db6d68cfdfb43b8d5

SHA256
ebc2c1dbba2c8ec33f60ad52b297e2b301d9ec849333ec8b28ef6eb07dce1147

SHA512
e362ce894340162be4cd43861003fa6e10d35e8da78c4e02b5717224e857eec196609a35f525a7dea8c69f0a7c6b0fb0168bc5b384ed5b3246000808ae3bf83f

Download Submit
C:\Users\Admin\AppData\Local\gn1GxiAK\xpsrchvw.exe
Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk
Filesize
1KB

MD5
4628ca0344eacb35981b5f7eeee797b1

SHA1
df946e8404c50ccf03367f07ac8ef4b6170c8bf1

SHA256
4a8fbf712aed63f3bac68592d197a0e92c2ba1bf6a12912d79b06ecbba977348

SHA512
87fb6c822cd005fdfeac52ab7357733c3ddcb721763340e25b9b6fe4c5945f801f54fbe13ac785da892f46feb585ce3c0da3fef953dc505ff72724e3444643d0

Download Submit
\Users\Admin\AppData\Local\csV1f\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\eTd1yjln\WINBRAND.dll
Filesize
1.0MB

MD5
8ae9714471399f62f6ddb71b6de6000e

SHA1
f0ca525166e0db66808a73987d127096f8375d7d

SHA256
13288b2ccc55811107e09a6cc232cbca4b7a19e044596b8b14f5fcb24e5e0787

SHA512
95c8e419fabc1109c7a0d3539ff05f3fcc26b2c15202ca1da88514e27ceedd9c8b606b7fcaece66ff6de234dac42f9d55dc31446eb3766ab38f87e5146b10873

Download Submit
memory/1220-11-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-38-0x00000000775A0000-0x00000000775A2000-memory.dmp

Filesize
8KB

Download
memory/1220-16-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-23-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-36-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-27-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-26-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-25-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-22-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-21-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-20-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-19-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-18-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-17-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-15-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-14-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-13-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-3-0x0000000077206000-0x0000000077207000-memory.dmp

Filesize
4KB

Download
memory/1220-10-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-9-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-8-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-35-0x0000000002A90000-0x0000000002A97000-memory.dmp

Filesize
28KB

Download
memory/1220-37-0x0000000077570000-0x0000000077572000-memory.dmp

Filesize
8KB

Download
memory/1220-47-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-4-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1220-54-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-57-0x0000000077206000-0x0000000077207000-memory.dmp

Filesize
4KB

Download
memory/1220-24-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-7-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-6-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1220-12-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1288-53-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1288-0-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1.0MB

Download
memory/1288-2-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1660-102-0x0000000140000000-0x000000014010B000-memory.dmp

Filesize
1.0MB

Download
memory/1660-105-0x0000000140000000-0x000000014010B000-memory.dmp

Filesize
1.0MB

Download
memory/2600-69-0x0000000140000000-0x000000014010A000-memory.dmp

Filesize
1.0MB

Download
memory/2600-65-0x0000000140000000-0x000000014010A000-memory.dmp

Filesize
1.0MB

Download
memory/2600-67-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2740-87-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/2740-90-0x0000000140000000-0x000000014010A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads