dridex | 4c29136a7c79c79409ce8255d3b6157b4fc08a591220993bb90645f2acac2cab

General

Target

4c29136a7c79c79409ce8255d3b6157b4fc08a591220993bb90645f2acac2cab.dll
Size

940KB
MD5

4087adacea74316cd6099ea4f269c758
SHA1

a5d17da00274ea0ce366dd891baca90be38b587b
SHA256

4c29136a7c79c79409ce8255d3b6157b4fc08a591220993bb90645f2acac2cab
SHA512

f6377700b210cc2503f495a68dc6485ba880c5a88724657b6851c6889be808d2650f77bd3303c0088da2e518d305b2d29797d565dce19502d8cea4c5b52d29ed
SSDEEP

12288:EPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:EtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-4-0x0000000002DD0000-0x0000000002DD1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2060-0-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1196-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1196-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1196-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2060-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1276-54-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral1/memory/1276-58-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral1/memory/2204-70-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2204-74-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1936-86-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/1936-90-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

DevicePairingWizard.exewbengine.exeUtilman.exe

pid process

1276 DevicePairingWizard.exe
2204 wbengine.exe
1936 Utilman.exe
Loads dropped DLL 7 IoCs

Processes:

DevicePairingWizard.exewbengine.exeUtilman.exe

pid process

1196
1276 DevicePairingWizard.exe
1196
2204 wbengine.exe
1196
1936 Utilman.exe
1196

pid	process
1276	DevicePairingWizard.exe
2204	wbengine.exe
1936	Utilman.exe

pid	process
1196
1276	DevicePairingWizard.exe
1196
2204	wbengine.exe
1196
1936	Utilman.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\FAY4V8EIGll\\wbengine.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDevicePairingWizard.exewbengine.exeUtilman.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2784	1196	DevicePairingWizard.exe
PID 1196 wrote to memory of 2784	1196	DevicePairingWizard.exe
PID 1196 wrote to memory of 2784	1196	DevicePairingWizard.exe
PID 1196 wrote to memory of 1276	1196	DevicePairingWizard.exe
PID 1196 wrote to memory of 1276	1196	DevicePairingWizard.exe
PID 1196 wrote to memory of 1276	1196	DevicePairingWizard.exe
PID 1196 wrote to memory of 1704	1196	wbengine.exe
PID 1196 wrote to memory of 1704	1196	wbengine.exe
PID 1196 wrote to memory of 1704	1196	wbengine.exe
PID 1196 wrote to memory of 2204	1196	wbengine.exe
PID 1196 wrote to memory of 2204	1196	wbengine.exe
PID 1196 wrote to memory of 2204	1196	wbengine.exe
PID 1196 wrote to memory of 956	1196	Utilman.exe
PID 1196 wrote to memory of 956	1196	Utilman.exe
PID 1196 wrote to memory of 956	1196	Utilman.exe
PID 1196 wrote to memory of 1936	1196	Utilman.exe
PID 1196 wrote to memory of 1936	1196	Utilman.exe
PID 1196 wrote to memory of 1936	1196	Utilman.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c29136a7c79c79409ce8255d3b6157b4fc08a591220993bb90645f2acac2cab.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:2784

C:\Users\Admin\AppData\Local\J7bGpwU\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\J7bGpwU\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1276

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:1704

C:\Users\Admin\AppData\Local\njZ\wbengine.exe
C:\Users\Admin\AppData\Local\njZ\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2204

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:956

C:\Users\Admin\AppData\Local\IcNn\Utilman.exe
C:\Users\Admin\AppData\Local\IcNn\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IcNn\DUI70.dll

Filesize
1.1MB

MD5
bd801c4e4e0567194c85e42ecdb9dfbe

SHA1
707480ee59bcf426656ae563306bf2bbfd8e9542

SHA256
d35356c714171b116b466d5584d1edb036b8608737c5d8b36e369d60aa8bb263

SHA512
924d4997698dc7b92405503e57c74d5daff0db9bd64f7c37fc2207d17b6a42f48a4adcdb34af61699117609dc3cfec32d92a305063112b3473816d2ebce32699

Download Submit
C:\Users\Admin\AppData\Local\IcNn\Utilman.exe

Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
C:\Users\Admin\AppData\Local\J7bGpwU\MFC42u.dll

Filesize
968KB

MD5
099245ec4137218d361151b7566e36ed

SHA1
dbb228ada80433313296b44c03c36b662ec446d6

SHA256
aeaea80bcff94932fcbb8b9b7944a53cef7e0e6a33b7d0faf370bf474517f8a8

SHA512
c8e32941f06ccc2a87f4af51eba1c2fbddc354c98135d8608d1aa2a34f1e1755d3148de542882adb459e9765a7f4ca34f2d82c6e7dda09811aa2b99e7051acc3

Download Submit
C:\Users\Admin\AppData\Local\njZ\XmlLite.dll

Filesize
944KB

MD5
991aa5a2abcc63479bb0b6f7b56150dd

SHA1
1204106e6268a418e8cce777ae4ee819a65dd0de

SHA256
edb2e73a38178722e6dfeb5aed28ebb4e8af2815c4b647f3aab9820b90ac6966

SHA512
42804652b9b23ada05a3aed4c77a64ff5dc2ec84579f6e6f413916c31ab8379791e1e44233be4c5544d0165c6beaa3e4325440f2c177acb06a34918be7a1406a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
f1fa3cff1898416e1a05851aec51247b

SHA1
dc5b00efc0859535ffa86bc1c15c807d30200953

SHA256
f8e7163c379fb43e7807c5cbe42e3ddc83d9c96eeb2721325fdc51ffbecb3a22

SHA512
af7582895cfc9e2bf34d893c92ca9a6cbab0c243db9e2302468e64cbf06b5283f39ff86590701978e179b98863a65f4b2cecaa22911743922878b3bc17794d5c

Download Submit
\Users\Admin\AppData\Local\J7bGpwU\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\njZ\wbengine.exe

Filesize
1.4MB

MD5
78f4e7f5c56cb9716238eb57da4b6a75

SHA1
98b0b9db6ec5961dbb274eff433a8bc21f7e557b

SHA256
46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

SHA512
1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

Download Submit
memory/1196-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-3-0x00000000778E6000-0x00000000778E7000-memory.dmp

Filesize
4KB

Download
memory/1196-23-0x0000000002DB0000-0x0000000002DB7000-memory.dmp

Filesize
28KB

Download
memory/1196-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-25-0x0000000077B50000-0x0000000077B52000-memory.dmp

Filesize
8KB

Download
memory/1196-26-0x0000000077B80000-0x0000000077B82000-memory.dmp

Filesize
8KB

Download
memory/1196-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-4-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1196-45-0x00000000778E6000-0x00000000778E7000-memory.dmp

Filesize
4KB

Download
memory/1196-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1196-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1276-58-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/1276-53-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1276-54-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/1936-86-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/1936-90-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2060-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2060-1-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2060-0-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2204-70-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2204-74-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads