dridex | 765ef4bbf371d0cfc04fbc695677ddcb5a30c7048f459b64af10843fc6092bf9

General

Target

765ef4bbf371d0cfc04fbc695677ddcb5a30c7048f459b64af10843fc6092bf9.dll
Size

1.3MB
MD5

2ad40f29b98a6f42244a74f76ba97f20
SHA1

cce573df89865b4f2575c9b321632e93626812db
SHA256

765ef4bbf371d0cfc04fbc695677ddcb5a30c7048f459b64af10843fc6092bf9
SHA512

65e6df9ff642a6c1edc92fd4b6d1e05fb3a823f0e3ecf7f3d98fab7963ab843e77fd5b91c589708e371b82ce64cde1776770f6302851da103e356b931a164163
SSDEEP

12288:M38uea4w46+K1FZPfxyMs2SRXTajPomqkpyrJXy6mfvHELWUbxdewWRa7CkhkgjS:O8uea4w467D5/0ypyFYELW8xFZmMXJZ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/3028-0-0x0000000140000000-0x000000014014F000-memory.dmp	dridex_payload
behavioral1/memory/1200-36-0x0000000140000000-0x000000014014F000-memory.dmp	dridex_payload
behavioral1/memory/1200-49-0x0000000140000000-0x000000014014F000-memory.dmp	dridex_payload
behavioral1/memory/1200-48-0x0000000140000000-0x000000014014F000-memory.dmp	dridex_payload
behavioral1/memory/3028-56-0x0000000140000000-0x000000014014F000-memory.dmp	dridex_payload
behavioral1/memory/2152-69-0x0000000140000000-0x0000000140150000-memory.dmp	dridex_payload
behavioral1/memory/2152-64-0x0000000140000000-0x0000000140150000-memory.dmp	dridex_payload
behavioral1/memory/2796-89-0x0000000140000000-0x0000000140150000-memory.dmp	dridex_payload
behavioral1/memory/1624-102-0x0000000140000000-0x0000000140156000-memory.dmp	dridex_payload
behavioral1/memory/1624-107-0x0000000140000000-0x0000000140156000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

cttune.exewscript.exeirftp.exe

pid process

2152 cttune.exe
2796 wscript.exe
1624 irftp.exe
Loads dropped DLL 8 IoCs

Processes:

cttune.exewscript.exeirftp.exe

pid process

1200
2152 cttune.exe
1200
1200
2796 wscript.exe
1200
1624 irftp.exe
1200

pid	process
2152	cttune.exe
2796	wscript.exe
1624	irftp.exe

pid	process
1200
2152	cttune.exe
1200
1200
2796	wscript.exe
1200
1624	irftp.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aknlhzir = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\GC2GKNCQ\\xK\\wscript.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

irftp.exerundll32.execttune.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.execttune.exe

pid	process
3028	rundll32.exe
3028	rundll32.exe
3028	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
2152	cttune.exe
2152	cttune.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 2500	1200	cttune.exe
PID 1200 wrote to memory of 2500	1200	cttune.exe
PID 1200 wrote to memory of 2500	1200	cttune.exe
PID 1200 wrote to memory of 2152	1200	cttune.exe
PID 1200 wrote to memory of 2152	1200	cttune.exe
PID 1200 wrote to memory of 2152	1200	cttune.exe
PID 1200 wrote to memory of 2268	1200	wscript.exe
PID 1200 wrote to memory of 2268	1200	wscript.exe
PID 1200 wrote to memory of 2268	1200	wscript.exe
PID 1200 wrote to memory of 2796	1200	wscript.exe
PID 1200 wrote to memory of 2796	1200	wscript.exe
PID 1200 wrote to memory of 2796	1200	wscript.exe
PID 1200 wrote to memory of 1644	1200	irftp.exe
PID 1200 wrote to memory of 1644	1200	irftp.exe
PID 1200 wrote to memory of 1644	1200	irftp.exe
PID 1200 wrote to memory of 1624	1200	irftp.exe
PID 1200 wrote to memory of 1624	1200	irftp.exe
PID 1200 wrote to memory of 1624	1200	irftp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\765ef4bbf371d0cfc04fbc695677ddcb5a30c7048f459b64af10843fc6092bf9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2500

C:\Users\Admin\AppData\Local\QhJLyc\cttune.exe
C:\Users\Admin\AppData\Local\QhJLyc\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2268

C:\Users\Admin\AppData\Local\2qm1h\wscript.exe
C:\Users\Admin\AppData\Local\2qm1h\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2796

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:1644

C:\Users\Admin\AppData\Local\68CK\irftp.exe
C:\Users\Admin\AppData\Local\68CK\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1624

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2qm1h\VERSION.dll
Filesize
1.3MB

MD5
723cc905eb09646c6a758e6e85c2d0fd

SHA1
4879b22f6755a7dc76ee2c440c5423a9e4417586

SHA256
e88561f49ff1caec6a8f687532430c87460138b290580cc31a4b76969cd9b81d

SHA512
4c9621a4c7d8ebe716e03de28d5b44bccbd076b8f278435fe8e5ace3766c089e2536ae29cbdafa0d7241500e34a95082e0b25538d602caabbd993e512b8d8757

Download Submit
C:\Users\Admin\AppData\Local\68CK\MFC42u.dll
Filesize
1.3MB

MD5
59e6d3490498bea4cac32ca5fb5c6c89

SHA1
95920b659033ef50dd3f47ec8b8ce010ad458bcc

SHA256
8970ac334379d0a987513c8fcb0580b060d0dbf4d2afa1af36d188764ee099ec

SHA512
d20cee1795e578136640a424014a2a160e5043e832aaff0079364574eba217046813afa6968a1a89cc0183e86c5e285b0004fe8f8f5865628f44c8b64889f6b9

Download Submit
C:\Users\Admin\AppData\Local\QhJLyc\OLEACC.dll
Filesize
1.3MB

MD5
bfbfe27eae6c085118daef9d9c1acce7

SHA1
3d7768d16f398ebd2221077c22baa978b33e4f6d

SHA256
bbda6c999334abfc2825b9dd29db478e247d65c1d26584723f41e12c00805692

SHA512
1a12efb404614dd27d941109e1ef8b16877a1a4af0d339ea2d08edee527f0f71eb708820aa20872a0f63c32ea1ac125269d5601b1be3502a58b0f76ed2e0ec0e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnk
Filesize
1KB

MD5
d87029a768580c3c02de8b5f7dbdd1a6

SHA1
dd34e80bd06af6964e1b101180240c62f1c13ff9

SHA256
104aec72c471b769692cb313fd73199ebb55e868cfe82124ad52e36ec6b4ab69

SHA512
cc6005f3bf0aa3668e95cdb8d61d7f8693bee059183bffa53a246117306d9035b65749813d6b98b6e57466f22d51b729d1003e8065474636b6bae7400a35b577

Download Submit
\Users\Admin\AppData\Local\2qm1h\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\68CK\irftp.exe
Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\QhJLyc\cttune.exe
Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
memory/1200-20-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-16-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-13-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-10-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-24-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-15-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-7-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-36-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-38-0x0000000077B90000-0x0000000077B92000-memory.dmp

Filesize
8KB

Download
memory/1200-37-0x0000000077B60000-0x0000000077B62000-memory.dmp

Filesize
8KB

Download
memory/1200-35-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

Filesize
28KB

Download
memory/1200-27-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-26-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-25-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-23-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-22-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-21-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-3-0x00000000777F6000-0x00000000777F7000-memory.dmp

Filesize
4KB

Download
memory/1200-19-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-18-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-17-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-11-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-14-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-49-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-48-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1200-12-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-8-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-94-0x00000000777F6000-0x00000000777F7000-memory.dmp

Filesize
4KB

Download
memory/1200-6-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1200-9-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1624-102-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1624-104-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1624-107-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2152-64-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2152-69-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2152-66-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2796-89-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2796-86-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/3028-56-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/3028-2-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/3028-0-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads