dridex | 445accea40bee73a661f478c9bfd5c9129b49ad86971a3cb25dae06f1a572a14

General

Target

5ce626cc979bced4df80a332aa794800_NEIKI.dll
Size

1.8MB
MD5

5ce626cc979bced4df80a332aa794800
SHA1

31f289af6916a9e20780333e928710df52da459d
SHA256

445accea40bee73a661f478c9bfd5c9129b49ad86971a3cb25dae06f1a572a14
SHA512

40473c862c21c3cd44aabdc8ee4b232be2ffb20973049f7deebe792816d43b7e27788d89197a50ff5a9d5f282374a1fd830c0f8f2fdf6663864c853b06cd5090
SSDEEP

12288:m38uea4w46+K1FZPfxyMs2SRXTajPomqkpyrJXy6mfvHELWUbxdewWRa7Ckhkgjj:M8uea4w467D5/0ypyFYELW8xFZmMXJZ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1176-4-0x0000000002200000-0x0000000002201000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1280-1-0x0000000140000000-0x00000001401D9000-memory.dmp	dridex_payload
behavioral1/memory/1176-37-0x0000000140000000-0x00000001401D9000-memory.dmp	dridex_payload
behavioral1/memory/1176-50-0x0000000140000000-0x00000001401D9000-memory.dmp	dridex_payload
behavioral1/memory/1176-48-0x0000000140000000-0x00000001401D9000-memory.dmp	dridex_payload
behavioral1/memory/1280-57-0x0000000140000000-0x00000001401D9000-memory.dmp	dridex_payload
behavioral1/memory/2520-66-0x0000000140000000-0x00000001401DB000-memory.dmp	dridex_payload
behavioral1/memory/2520-69-0x0000000140000000-0x00000001401DB000-memory.dmp	dridex_payload
behavioral1/memory/888-89-0x0000000140000000-0x00000001401DA000-memory.dmp	dridex_payload
behavioral1/memory/888-93-0x0000000140000000-0x00000001401DA000-memory.dmp	dridex_payload
behavioral1/memory/2852-105-0x0000000140000000-0x000000014020D000-memory.dmp	dridex_payload
behavioral1/memory/2852-109-0x0000000140000000-0x000000014020D000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

mmc.exepsr.exemsdt.exe

pid process

2520 mmc.exe
888 psr.exe
2852 msdt.exe
Loads dropped DLL 7 IoCs

Processes:

mmc.exepsr.exemsdt.exe

pid process

1176
2520 mmc.exe
1176
888 psr.exe
1176
2852 msdt.exe
1176

pid	process
2520	mmc.exe
888	psr.exe
2852	msdt.exe

pid	process
1176
2520	mmc.exe
1176
888	psr.exe
1176
2852	msdt.exe
1176

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\bQen9PW3to\\psr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdt.exerundll32.exemmc.exepsr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1280	rundll32.exe
1280	rundll32.exe
1280	rundll32.exe
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1176 wrote to memory of 2444	1176	mmc.exe
PID 1176 wrote to memory of 2444	1176	mmc.exe
PID 1176 wrote to memory of 2444	1176	mmc.exe
PID 1176 wrote to memory of 2520	1176	mmc.exe
PID 1176 wrote to memory of 2520	1176	mmc.exe
PID 1176 wrote to memory of 2520	1176	mmc.exe
PID 1176 wrote to memory of 1496	1176	psr.exe
PID 1176 wrote to memory of 1496	1176	psr.exe
PID 1176 wrote to memory of 1496	1176	psr.exe
PID 1176 wrote to memory of 888	1176	psr.exe
PID 1176 wrote to memory of 888	1176	psr.exe
PID 1176 wrote to memory of 888	1176	psr.exe
PID 1176 wrote to memory of 928	1176	msdt.exe
PID 1176 wrote to memory of 928	1176	msdt.exe
PID 1176 wrote to memory of 928	1176	msdt.exe
PID 1176 wrote to memory of 2852	1176	msdt.exe
PID 1176 wrote to memory of 2852	1176	msdt.exe
PID 1176 wrote to memory of 2852	1176	msdt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ce626cc979bced4df80a332aa794800_NEIKI.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:2444

C:\Users\Admin\AppData\Local\fG6h\mmc.exe
C:\Users\Admin\AppData\Local\fG6h\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2520

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:1496

C:\Users\Admin\AppData\Local\7wx4oZsu\psr.exe
C:\Users\Admin\AppData\Local\7wx4oZsu\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:888

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:928

C:\Users\Admin\AppData\Local\FwAQIJCp\msdt.exe
C:\Users\Admin\AppData\Local\FwAQIJCp\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2852

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7wx4oZsu\XmlLite.dll
Filesize
1.9MB

MD5
a4a6d24c1292ef3aa2ba391585738850

SHA1
7a074a19dec67f544617c59b327fb0144bcec24a

SHA256
69cee235ea4acfaf51c8eadbdb4e25f2b6d6683930f4c03e69fa040de2ab4ecc

SHA512
3d67992a71b1b8f32665ee4261405fb60c2ee099bd4e35c9bc64c8cbb0b313dcff3906fe62181c4ac04e1be19afcc5058f0390f84db99742a63b105daf88c1a6

Download Submit
C:\Users\Admin\AppData\Local\FwAQIJCp\DUI70.dll
Filesize
2.1MB

MD5
57a05f9fafce655812e384f58e11a69c

SHA1
5275e813fcaf15bb6f6cf316fa2d3c2fb874d8ce

SHA256
1242ce5731a316b77fe57828a46ec4cc236b5ef402847fab981fd78a78e20b4b

SHA512
c712ac2ab336cd79cf2383c386eee55ff2d1ab0db4d30d387db661b0eca772463683b40f373b70024518bbf0f205c18c0bfb13ede06141e17655449a2a0bdf72

Download Submit
C:\Users\Admin\AppData\Local\fG6h\mmcbase.DLL
Filesize
1.9MB

MD5
6ce7732b811506c071ab07aa73306008

SHA1
0e5b0be3d9864ec4322a0e2a9759655b343517f2

SHA256
901d2354624d2321358cb38cace44465f676bb04283a09466866f76829db838b

SHA512
b190d27883f73fcd0bccb94e6e454ee7ea4a6cb19717e2d9848e574fa9f9a65fc496015be5c79d37e0a64a1e4f645f23e4df550078a379bfeec8553bed6b079b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
05236a37bedc3b5e10e6dc6ee4c96bbc

SHA1
56943d8b32aeeceead4ac7a45c6ff7a90059058c

SHA256
1dd4ce1e7dbb08b7b635f845ce8096ef00509e65f23480e491f6cc8603fb2bc6

SHA512
1c190a1804fbc67444aa340b5e8a01e5e1517e2e08fa58897d3f61154ba8c0d5e7337d6a6a8fa6766ddb1c37888d2c1bab992236dde553af02b481cd2b11cff1

Download Submit
\Users\Admin\AppData\Local\7wx4oZsu\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\FwAQIJCp\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\fG6h\mmc.exe
Filesize
2.0MB

MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
memory/888-93-0x0000000140000000-0x00000001401DA000-memory.dmp

Filesize
1.9MB

Download
memory/888-89-0x0000000140000000-0x00000001401DA000-memory.dmp

Filesize
1.9MB

Download
memory/888-88-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1176-16-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-36-0x00000000021E0000-0x00000000021E7000-memory.dmp

Filesize
28KB

Download
memory/1176-15-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-14-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-37-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-27-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-26-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-24-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-23-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-22-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-21-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-20-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-19-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-17-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-7-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-13-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-12-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-11-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-9-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-8-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-39-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download
memory/1176-38-0x0000000077600000-0x0000000077602000-memory.dmp

Filesize
8KB

Download
memory/1176-50-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-48-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-3-0x0000000077396000-0x0000000077397000-memory.dmp

Filesize
4KB

Download
memory/1176-4-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1176-10-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-18-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-25-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-28-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-6-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1176-87-0x0000000077396000-0x0000000077397000-memory.dmp

Filesize
4KB

Download
memory/1280-57-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1280-1-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1280-2-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2520-65-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download
memory/2520-66-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/2520-69-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/2852-105-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/2852-109-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads