dridex | c68637d8f73c08e90207227784560ee2b64bdc78527e58aeee66d780915cedb4

General

Target

c68637d8f73c08e90207227784560ee2b64bdc78527e58aeee66d780915cedb4.dll
Size

1.7MB
MD5

1b27f30b823c59968581b70c08e55337
SHA1

c3f4fa24983e341b0bfeb31c53189a87e1145c86
SHA256

c68637d8f73c08e90207227784560ee2b64bdc78527e58aeee66d780915cedb4
SHA512

55a7f0686786f8e735f5eaa150a1f5dedb8fbad662892ce71fa950e1160966b7f5bfb8827eab3a46d9f20abf0a6ea89f3c33da9bb55c07ca6310ab5aab4dca29
SSDEEP

12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1q:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1176-5-0x0000000002210000-0x0000000002211000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdrleakdiag.exefveprompt.exeMpSigStub.exe

pid process

2900 rdrleakdiag.exe
1632 fveprompt.exe
1460 MpSigStub.exe
Loads dropped DLL 7 IoCs

Processes:

rdrleakdiag.exefveprompt.exeMpSigStub.exe

pid process

1176
2900 rdrleakdiag.exe
1176
1632 fveprompt.exe
1176
1460 MpSigStub.exe
1176

pid	process
2900	rdrleakdiag.exe
1632	fveprompt.exe
1460	MpSigStub.exe

pid	process
1176
2900	rdrleakdiag.exe
1176
1632	fveprompt.exe
1176
1460	MpSigStub.exe
1176

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\LIHBIU~1\\FVEPRO~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdrleakdiag.exefveprompt.exeMpSigStub.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2208	rundll32.exe
2208	rundll32.exe
2208	rundll32.exe
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1176 wrote to memory of 2336	1176	rdrleakdiag.exe
PID 1176 wrote to memory of 2336	1176	rdrleakdiag.exe
PID 1176 wrote to memory of 2336	1176	rdrleakdiag.exe
PID 1176 wrote to memory of 2900	1176	rdrleakdiag.exe
PID 1176 wrote to memory of 2900	1176	rdrleakdiag.exe
PID 1176 wrote to memory of 2900	1176	rdrleakdiag.exe
PID 1176 wrote to memory of 1480	1176	fveprompt.exe
PID 1176 wrote to memory of 1480	1176	fveprompt.exe
PID 1176 wrote to memory of 1480	1176	fveprompt.exe
PID 1176 wrote to memory of 1632	1176	fveprompt.exe
PID 1176 wrote to memory of 1632	1176	fveprompt.exe
PID 1176 wrote to memory of 1632	1176	fveprompt.exe
PID 1176 wrote to memory of 2768	1176	MpSigStub.exe
PID 1176 wrote to memory of 2768	1176	MpSigStub.exe
PID 1176 wrote to memory of 2768	1176	MpSigStub.exe
PID 1176 wrote to memory of 1460	1176	MpSigStub.exe
PID 1176 wrote to memory of 1460	1176	MpSigStub.exe
PID 1176 wrote to memory of 1460	1176	MpSigStub.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c68637d8f73c08e90207227784560ee2b64bdc78527e58aeee66d780915cedb4.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2208

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:2336

C:\Users\Admin\AppData\Local\ZYhtOG\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\ZYhtOG\rdrleakdiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2900

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:1480

C:\Users\Admin\AppData\Local\PhUKoqsZ\fveprompt.exe
C:\Users\Admin\AppData\Local\PhUKoqsZ\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1632

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:2768

C:\Users\Admin\AppData\Local\URlj\MpSigStub.exe
C:\Users\Admin\AppData\Local\URlj\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1460

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PhUKoqsZ\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
C:\Users\Admin\AppData\Local\PhUKoqsZ\slc.dll
Filesize
1.7MB

MD5
0d80e6916c2bedac9ba8c9cb3148cacc

SHA1
9a5a77c8922129f6015ae8c6e4922219758f24cc

SHA256
cd50a42b0dffde815cccef40972504c8828bda95cc6b3bc548c54c9b5059e7e1

SHA512
c0bbfcbb2417340fd7c5073f029089da7633cc56a96f70315b60bae81d0d71ec7176c2798af6281e6a33c3a93b0d7b7dbbaff15cf051d934b66d9f42c37f65ec

Download Submit
C:\Users\Admin\AppData\Local\URlj\MpSigStub.exe
Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
C:\Users\Admin\AppData\Local\URlj\VERSION.dll
Filesize
1.7MB

MD5
16fb505531cf4ffae6d3d9a7531d9b6d

SHA1
a340382d26d90779da402ca49796f387e301acf5

SHA256
8c35239f7e3ff05a8cc636dd1b9ed8ce647f8072ddf44e662935411b4620f21e

SHA512
74e597aceafcb9076da2b2fb90423b68b76c0f0e7235b86c97a858f718e5ab304e20ce965924840a26dfe4be558ff7856e894294399ce3325e2e4d74268c91d2

Download Submit
C:\Users\Admin\AppData\Local\ZYhtOG\rdrleakdiag.exe
Filesize
39KB

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
126ecf7c2aa65055d818f2f31deb3163

SHA1
3e05916c39ab180013e30d534e924cfa7094e055

SHA256
cddd836e2b061137c5f453f0612a88fd05706a72f63051b9db3ad014fed3f21e

SHA512
8d5602a4c22ed8daca289bad3b567f8be0e3fb2a8ea2665320b5369aa2a63434b763abeb12c1731125c1d409b0abe8ccda222dea367f2e5fb450570e06ffc18a

Download Submit
\Users\Admin\AppData\Local\ZYhtOG\VERSION.dll
Filesize
1.7MB

MD5
d840ccc578a1d997a908ec619706b8a2

SHA1
9cc683dbb3a9167deee6fe5fde808367b9cc711b

SHA256
9f491d74d8f8873646c3909327840f47a35624cbcd10618c51bbf72bf9aa10a8

SHA512
2aacd4639af844408fc46bf665991daddf2a3f505e9e87b2c439c1b068a1391de3f4d5ba51316e7bdb6f685eaf6d3a28240a72d21c893eacb7c91040245fe531

Download Submit
memory/1176-56-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-29-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-10-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-9-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-57-0x00000000021F0000-0x00000000021F7000-memory.dmp

Filesize
28KB

Download
memory/1176-49-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-48-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-47-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-46-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-45-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-44-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-43-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-41-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-40-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-39-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-38-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-36-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-35-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-34-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-33-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-32-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-30-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-8-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-5-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1176-7-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-4-0x0000000077396000-0x0000000077397000-memory.dmp

Filesize
4KB

Download
memory/1176-151-0x0000000077396000-0x0000000077397000-memory.dmp

Filesize
4KB

Download
memory/1176-11-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-42-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-31-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-66-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-28-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-27-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-26-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-25-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-24-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-23-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-21-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-20-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-99-0x0000000077600000-0x0000000077602000-memory.dmp

Filesize
8KB

Download
memory/1176-98-0x00000000774A1000-0x00000000774A2000-memory.dmp

Filesize
4KB

Download
memory/1176-18-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-17-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-22-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-12-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-19-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-16-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-15-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-14-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-13-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1176-69-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1460-127-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1632-107-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2208-1-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2208-37-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2208-0-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2900-89-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads