dridex | a26ebf633120aaf24e733dd3b9a4737d20565d3b8b43edffe548e7bc8e3528c9

General

Target

8c1edc294ab7bcaa45a2467817c833c0_NEIKI.dll
Size

1.2MB
MD5

8c1edc294ab7bcaa45a2467817c833c0
SHA1

84166d264a241b17e0c30e57c8a9029bdefc4448
SHA256

a26ebf633120aaf24e733dd3b9a4737d20565d3b8b43edffe548e7bc8e3528c9
SHA512

4369e992d268d298c9e7dbf39596f650a5390e6e5f1b3a0e555e11c7f1f0bbaf5bbc056669054aad7dfb2180e66977d3e5d93299699103239abf4dc6214be68a
SSDEEP

12288:w38uea4w46+K1FZPfxyMs2SRXTajPomqkpyrJXy6mfvHELWUbxdewWRa7CkhkgjS:K8uea4w467D5/0ypyFYELW8xFZmMXJZ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1116-4-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1824-0-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral1/memory/1116-37-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral1/memory/1116-48-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral1/memory/1116-49-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral1/memory/1824-57-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral1/memory/2528-65-0x0000000140000000-0x0000000140140000-memory.dmp	dridex_payload
behavioral1/memory/2528-68-0x0000000140000000-0x0000000140140000-memory.dmp	dridex_payload
behavioral1/memory/2808-82-0x0000000140000000-0x0000000140172000-memory.dmp	dridex_payload
behavioral1/memory/2808-86-0x0000000140000000-0x0000000140172000-memory.dmp	dridex_payload
behavioral1/memory/1772-103-0x0000000140000000-0x0000000140140000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

xpsrchvw.exemsdt.exewinlogon.exe

pid process

2528 xpsrchvw.exe
2808 msdt.exe
1772 winlogon.exe
Loads dropped DLL 7 IoCs

Processes:

xpsrchvw.exemsdt.exewinlogon.exe

pid process

1116
2528 xpsrchvw.exe
1116
2808 msdt.exe
1116
1772 winlogon.exe
1116

pid	process
2528	xpsrchvw.exe
2808	msdt.exe
1772	winlogon.exe

pid	process
1116
2528	xpsrchvw.exe
1116
2808	msdt.exe
1116
1772	winlogon.exe
1116

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\RrSrJ\\msdt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exerundll32.exexpsrchvw.exemsdt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1116 wrote to memory of 2476	1116	xpsrchvw.exe
PID 1116 wrote to memory of 2476	1116	xpsrchvw.exe
PID 1116 wrote to memory of 2476	1116	xpsrchvw.exe
PID 1116 wrote to memory of 2528	1116	xpsrchvw.exe
PID 1116 wrote to memory of 2528	1116	xpsrchvw.exe
PID 1116 wrote to memory of 2528	1116	xpsrchvw.exe
PID 1116 wrote to memory of 2712	1116	msdt.exe
PID 1116 wrote to memory of 2712	1116	msdt.exe
PID 1116 wrote to memory of 2712	1116	msdt.exe
PID 1116 wrote to memory of 2808	1116	msdt.exe
PID 1116 wrote to memory of 2808	1116	msdt.exe
PID 1116 wrote to memory of 2808	1116	msdt.exe
PID 1116 wrote to memory of 1752	1116	winlogon.exe
PID 1116 wrote to memory of 1752	1116	winlogon.exe
PID 1116 wrote to memory of 1752	1116	winlogon.exe
PID 1116 wrote to memory of 1772	1116	winlogon.exe
PID 1116 wrote to memory of 1772	1116	winlogon.exe
PID 1116 wrote to memory of 1772	1116	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c1edc294ab7bcaa45a2467817c833c0_NEIKI.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2476

C:\Users\Admin\AppData\Local\hh6\xpsrchvw.exe
C:\Users\Admin\AppData\Local\hh6\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2528

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:2712

C:\Users\Admin\AppData\Local\KzYu\msdt.exe
C:\Users\Admin\AppData\Local\KzYu\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2808

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:1752

C:\Users\Admin\AppData\Local\uatwV49\winlogon.exe
C:\Users\Admin\AppData\Local\uatwV49\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1772

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KzYu\DUI70.dll
Filesize
1.4MB

MD5
51f6e2e24c98c83d720db83fd49b6ca1

SHA1
c218a334ec10d5a405cd826fc877c497b0693b64

SHA256
32b30c90e162d3e30838c9b48aa3e8cfa1efd84cb062891e20b7b3468a0e1d07

SHA512
9a979a459df68790d8f08cc7ff00222dcef4a0abced231d4fe39eaae7a20e60d5eb95858761623834b568c657c74ca14b87454fedaf7e5d37be36e09878cac23

Download Submit
C:\Users\Admin\AppData\Local\hh6\WINMM.dll
Filesize
1.2MB

MD5
8330756872576d07cc9706715b2b234d

SHA1
1ed17f8190c8555da3a25c718c68937ec3cde4a1

SHA256
ef4320ed6d1c87c20c0d9afc254dfbac82d117cdccd5566e98e331915aea2b16

SHA512
f311a473c60089c1d52bcac6accc24ccafbc925c3a0c3529ef01a7deecc5c0a130d5be3531f97d1b2d6ffd5d19f4a174be0b4fc371d6e99e6e5fdee78af78dda

Download Submit
C:\Users\Admin\AppData\Local\uatwV49\WINSTA.dll
Filesize
1.2MB

MD5
031d2262888963e2fb519576e82c55c9

SHA1
c48e29a277e382f177b1bc858c8b33ef8122b4e7

SHA256
9cdb5ef688d20fe87f4673f60ce73e0adbaafd2ce65451e3b670b9840f8d5b54

SHA512
2e101a9fbd4d739b8ddfabb0ae168476c21a2dddff9bbf7693a18a9445fc9fa4b08a7c5f4052ad06c4860fea221a8ff7d68c4f01b52b9312f1d723c5ec806bca

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
1KB

MD5
8f9f8a2277bd48cb88548ae57abab436

SHA1
9446ef7d05da17792ff6b9f634c6a6af3a7642e9

SHA256
57620e1b524ff1906750c036499550fb278a1993e6019fb8eeeebe6cc70223c7

SHA512
2a3bdf187ca77e68ba08197ea62bb0d0a96ba95c3bb258431b95b719a3e51029fb53102bdc9512269fd9aead7673b8690a2ec1818bc392b271f8dcdb4c6ca426

Download Submit
\Users\Admin\AppData\Local\KzYu\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\hh6\xpsrchvw.exe
Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Local\uatwV49\winlogon.exe
Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
memory/1116-15-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-10-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-28-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-39-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/1116-38-0x00000000770F0000-0x00000000770F2000-memory.dmp

Filesize
8KB

Download
memory/1116-37-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-36-0x0000000002D10000-0x0000000002D17000-memory.dmp

Filesize
28KB

Download
memory/1116-27-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-26-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-25-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-24-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-23-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-22-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-19-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-16-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-18-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-17-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-3-0x0000000076D86000-0x0000000076D87000-memory.dmp

Filesize
4KB

Download
memory/1116-14-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-12-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-11-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-20-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-9-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-8-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-48-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-49-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1116-13-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-21-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-7-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-6-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1116-73-0x0000000076D86000-0x0000000076D87000-memory.dmp

Filesize
4KB

Download
memory/1772-100-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1772-103-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1824-57-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1824-0-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1824-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2528-68-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2528-65-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2808-81-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2808-82-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2808-86-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads