dridex | a26ebf633120aaf24e733dd3b9a4737d20565d3b8b43edffe548e7bc8e3528c9

General

Target

8c1edc294ab7bcaa45a2467817c833c0_NEIKI.dll
Size

1.2MB
MD5

8c1edc294ab7bcaa45a2467817c833c0
SHA1

84166d264a241b17e0c30e57c8a9029bdefc4448
SHA256

a26ebf633120aaf24e733dd3b9a4737d20565d3b8b43edffe548e7bc8e3528c9
SHA512

4369e992d268d298c9e7dbf39596f650a5390e6e5f1b3a0e555e11c7f1f0bbaf5bbc056669054aad7dfb2180e66977d3e5d93299699103239abf4dc6214be68a
SSDEEP

12288:w38uea4w46+K1FZPfxyMs2SRXTajPomqkpyrJXy6mfvHELWUbxdewWRa7CkhkgjS:K8uea4w467D5/0ypyFYELW8xFZmMXJZ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3580-3-0x0000000000D20000-0x0000000000D21000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/5064-1-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral2/memory/3580-37-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral2/memory/3580-48-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral2/memory/5064-51-0x0000000140000000-0x000000014013E000-memory.dmp	dridex_payload
behavioral2/memory/3544-58-0x0000000140000000-0x0000000140184000-memory.dmp	dridex_payload
behavioral2/memory/3544-62-0x0000000140000000-0x0000000140184000-memory.dmp	dridex_payload
behavioral2/memory/2200-79-0x0000000140000000-0x0000000140184000-memory.dmp	dridex_payload
behavioral2/memory/1896-95-0x0000000140000000-0x0000000140184000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

PasswordOnWakeSettingFlyout.exePasswordOnWakeSettingFlyout.exeSystemSettingsRemoveDevice.exe

pid process

3544 PasswordOnWakeSettingFlyout.exe
2200 PasswordOnWakeSettingFlyout.exe
1896 SystemSettingsRemoveDevice.exe
Loads dropped DLL 3 IoCs

Processes:

PasswordOnWakeSettingFlyout.exePasswordOnWakeSettingFlyout.exeSystemSettingsRemoveDevice.exe

pid process

3544 PasswordOnWakeSettingFlyout.exe
2200 PasswordOnWakeSettingFlyout.exe
1896 SystemSettingsRemoveDevice.exe

pid	process
3544	PasswordOnWakeSettingFlyout.exe
2200	PasswordOnWakeSettingFlyout.exe
1896	SystemSettingsRemoveDevice.exe

pid	process
3544	PasswordOnWakeSettingFlyout.exe
2200	PasswordOnWakeSettingFlyout.exe
1896	SystemSettingsRemoveDevice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jrbkpoyx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\mFfv\\PasswordOnWakeSettingFlyout.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exePasswordOnWakeSettingFlyout.exePasswordOnWakeSettingFlyout.exeSystemSettingsRemoveDevice.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
5064	rundll32.exe
5064	rundll32.exe
5064	rundll32.exe
5064	rundll32.exe
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3580

pid	process
3580

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3580 wrote to memory of 3092	3580	PasswordOnWakeSettingFlyout.exe
PID 3580 wrote to memory of 3092	3580	PasswordOnWakeSettingFlyout.exe
PID 3580 wrote to memory of 3544	3580	PasswordOnWakeSettingFlyout.exe
PID 3580 wrote to memory of 3544	3580	PasswordOnWakeSettingFlyout.exe
PID 3580 wrote to memory of 3596	3580	PasswordOnWakeSettingFlyout.exe
PID 3580 wrote to memory of 3596	3580	PasswordOnWakeSettingFlyout.exe
PID 3580 wrote to memory of 2200	3580	PasswordOnWakeSettingFlyout.exe
PID 3580 wrote to memory of 2200	3580	PasswordOnWakeSettingFlyout.exe
PID 3580 wrote to memory of 4320	3580	SystemSettingsRemoveDevice.exe
PID 3580 wrote to memory of 4320	3580	SystemSettingsRemoveDevice.exe
PID 3580 wrote to memory of 1896	3580	SystemSettingsRemoveDevice.exe
PID 3580 wrote to memory of 1896	3580	SystemSettingsRemoveDevice.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c1edc294ab7bcaa45a2467817c833c0_NEIKI.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:3092

C:\Users\Admin\AppData\Local\WujA\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\WujA\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3544

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:3596

C:\Users\Admin\AppData\Local\IkY3p\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\IkY3p\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2200

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:4320

C:\Users\Admin\AppData\Local\ihVD\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\ihVD\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IkY3p\DUI70.dll
Filesize
1.5MB

MD5
586cdf10343d43cad88408a4b524c601

SHA1
29a1454e95e93681fdeba48f278ba7744aa5f44f

SHA256
8155dbeabd9b2a4c897fddaab04933c8c73192fd9987f307144ae3d6b9d2d1da

SHA512
a822cca2cfaa3baa801d9e77f1af354095523f4960cada2ace590eeaf14956fb9f63a12136ae07cb4d49ace1f938b532dc37d4303232ac3e7fce65dfba5d9a95

Download Submit
C:\Users\Admin\AppData\Local\WujA\DUI70.dll
Filesize
1.5MB

MD5
0a31d8f802988124f03e0e81ab08fb87

SHA1
111eb0c4491d3651c021ddfd1c749f7e35c37c63

SHA256
fced3f77f71d2f2845d82b25edcae328da777271e56c12c9e1d850c363c91e02

SHA512
0ed282039512b7780fdb389c24ba7e7f56bf0136b8267d5d8e9d254d26344969427d07fb65aeed05caff057dc763c7cff28743fcd4fe64683248fcf739c74a84

Download Submit
C:\Users\Admin\AppData\Local\WujA\PasswordOnWakeSettingFlyout.exe
Filesize
44KB

MD5
591a98c65f624c52882c2b238d6cd4c4

SHA1
c960d08c19d777069cf265dcc281807fbd8502d7

SHA256
5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

SHA512
1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

Download Submit
C:\Users\Admin\AppData\Local\ihVD\DUI70.dll
Filesize
1.5MB

MD5
ee89699a1ec77ff4b7b909eaac5051c4

SHA1
c9aaccd876c7169e19b3186fa3069f98fff134ff

SHA256
78f989af6f85dc6237856efcea0b91c226e6cc9f0b13a11dd346cc05feb9e5a9

SHA512
38c082e82b2eb8d77a4425927d7cf854eb4d2ffcfe59b0eff79f0ac8ad9c6971e52a8ee35d3e5ef49b117d40d4e7b44ee93858b23b49753a2ec69eb8782da044

Download Submit
C:\Users\Admin\AppData\Local\ihVD\SystemSettingsRemoveDevice.exe
Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xzasfouulwckbw.lnk
Filesize
1KB

MD5
270e929349554978ab96a56d36024623

SHA1
31ba936d7a067899e5f031bd84334a2956ed0c44

SHA256
f75fc1da960c424b46a6b3d5f76e95bf59769a8367baaee76435db96c67546c7

SHA512
e6ce3cd85a51c4eef738077a67c8114a5d9abc988c2ab302a882d6795641266af6d9c0f2c29d0914bc8e7060d493631008b231048280703ca419508b43122873

Download Submit
memory/1896-95-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/1896-92-0x000002585BEE0000-0x000002585BEE7000-memory.dmp

Filesize
28KB

Download
memory/2200-79-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2200-76-0x000001FE20D10000-0x000001FE20D17000-memory.dmp

Filesize
28KB

Download
memory/3544-62-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/3544-58-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/3544-60-0x000001D077890000-0x000001D077897000-memory.dmp

Filesize
28KB

Download
memory/3580-38-0x00007FFBF27C0000-0x00007FFBF27D0000-memory.dmp

Filesize
64KB

Download
memory/3580-7-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-24-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-23-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-22-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-21-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-20-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-18-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-17-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-16-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-15-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-13-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-12-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-11-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-10-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-9-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-8-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-25-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-6-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-5-0x00007FFBF095A000-0x00007FFBF095B000-memory.dmp

Filesize
4KB

Download
memory/3580-26-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-27-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-3-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3580-48-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-39-0x00007FFBF27B0000-0x00007FFBF27C0000-memory.dmp

Filesize
64KB

Download
memory/3580-37-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-36-0x0000000000CC0000-0x0000000000CC7000-memory.dmp

Filesize
28KB

Download
memory/3580-28-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-19-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3580-14-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/5064-1-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/5064-51-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/5064-2-0x000001E5F62E0000-0x000001E5F62E7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads