dridex | 95142dd124e732388684d79e589c18a00fe55eda2af3cd055c3bd5cc6feb2760

General

Target

95142dd124e732388684d79e589c18a00fe55eda2af3cd055c3bd5cc6feb2760.dll
Size

944KB
MD5

e1fd15726c61a16219286f808457b005
SHA1

118a7309e85d4594e91bd5fb791dce4e84ff1e9c
SHA256

95142dd124e732388684d79e589c18a00fe55eda2af3cd055c3bd5cc6feb2760
SHA512

075b89e73badb35bbe48f78e910ba5cb270548cbccb40491647b4ffd5b232883eb528c0a53f57d031e392bb77a336b8e1bba20f8b03c4efd87b7c668a9a7fe72
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3452-3-0x0000000002BE0000-0x0000000002BE1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1432-1-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3452-24-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3452-35-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/1432-38-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3680-46-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/3680-50-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/2824-66-0x0000000140000000-0x00000001400ED000-memory.dmp	dridex_payload
behavioral2/memory/1644-77-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral2/memory/1644-81-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

MusNotifyIcon.exewusa.exeRdpSaUacHelper.exe

pid process

3680 MusNotifyIcon.exe
2824 wusa.exe
1644 RdpSaUacHelper.exe
Loads dropped DLL 3 IoCs

Processes:

MusNotifyIcon.exewusa.exeRdpSaUacHelper.exe

pid process

3680 MusNotifyIcon.exe
2824 wusa.exe
1644 RdpSaUacHelper.exe

pid	process
3680	MusNotifyIcon.exe
2824	wusa.exe
1644	RdpSaUacHelper.exe

pid	process
3680	MusNotifyIcon.exe
2824	wusa.exe
1644	RdpSaUacHelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\f4FKqJ\\wusa.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeMusNotifyIcon.exewusa.exeRdpSaUacHelper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSaUacHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1432	rundll32.exe
1432	rundll32.exe
1432	rundll32.exe
1432	rundll32.exe
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3452 wrote to memory of 1868	3452	MusNotifyIcon.exe
PID 3452 wrote to memory of 1868	3452	MusNotifyIcon.exe
PID 3452 wrote to memory of 3680	3452	MusNotifyIcon.exe
PID 3452 wrote to memory of 3680	3452	MusNotifyIcon.exe
PID 3452 wrote to memory of 4996	3452	wusa.exe
PID 3452 wrote to memory of 4996	3452	wusa.exe
PID 3452 wrote to memory of 2824	3452	wusa.exe
PID 3452 wrote to memory of 2824	3452	wusa.exe
PID 3452 wrote to memory of 4664	3452	RdpSaUacHelper.exe
PID 3452 wrote to memory of 4664	3452	RdpSaUacHelper.exe
PID 3452 wrote to memory of 1644	3452	RdpSaUacHelper.exe
PID 3452 wrote to memory of 1644	3452	RdpSaUacHelper.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\95142dd124e732388684d79e589c18a00fe55eda2af3cd055c3bd5cc6feb2760.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:1868

C:\Users\Admin\AppData\Local\Luy9Fbty2\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\Luy9Fbty2\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3680

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:4996

C:\Users\Admin\AppData\Local\H9cApgo\wusa.exe
C:\Users\Admin\AppData\Local\H9cApgo\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2824

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:4664

C:\Users\Admin\AppData\Local\IkBn\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\IkBn\RdpSaUacHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\H9cApgo\WTSAPI32.dll

Filesize
948KB

MD5
37d46d25b3aae9f7608d5519fa4de6d6

SHA1
37f1aa5bb1f8d37f679284b6ea7b0fc5fab9f55a

SHA256
df66d0df969ee1a046c7d4630e9406b278f9f5edd759d2ac63386b7b8ba41c1f

SHA512
08e3b0aa1f53431b594c37f02a35d2e06aea3aa7275adec725a844ca43f66e4f6c7e2ccb440e6e4059b21e79617ed5a28d81e63e133b1af58aa36fea3835172e

Download Submit
C:\Users\Admin\AppData\Local\H9cApgo\wusa.exe

Filesize
309KB

MD5
e43499ee2b4cf328a81bace9b1644c5d

SHA1
b2b55641f2799e3fdb3bea709c9532017bbac59d

SHA256
3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

SHA512
04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

Download Submit
C:\Users\Admin\AppData\Local\IkBn\RdpSaUacHelper.exe

Filesize
33KB

MD5
0d5b016ac7e7b6257c069e8bb40845de

SHA1
5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

SHA256
6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

SHA512
cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

Download Submit
C:\Users\Admin\AppData\Local\IkBn\WINSTA.dll

Filesize
952KB

MD5
1f93d0d6b1a451dd18b4abdee961d8ef

SHA1
74d40aab4b9bc4863316b4fb3653ef2fc7892832

SHA256
443ff88c5601b6640823ff8ebfbfb60e901de993661d06f842d157d01a8d4133

SHA512
9c334a496b810a20fcaf477a5c1334ddc53d7119cf91c8ab23bd4f9849f7baa498e0e9b0790a1fed1853ae4dc24e95af4004a44fdfc7a829cf1aa1fa0db78c4a

Download Submit
C:\Users\Admin\AppData\Local\Luy9Fbty2\MusNotifyIcon.exe

Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\Luy9Fbty2\XmlLite.dll

Filesize
948KB

MD5
9520adc5430d54f6189d682069cb5118

SHA1
524db1c1255a263b737b318047464e45bbf2988e

SHA256
38313083ae27a2063cfdab137d61d40d1daf166478c93699ddecd9b830920811

SHA512
b55240a21dc0d1f05e22e0e63e55396d646a8fd702e2b65e20b73926fb2f672bca6ae4f89e4acdb6e899cab3ad6e40796c51f93e5ee8f7bc9b6ec71a5fd754a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
dce45a28b498065b85c6392b205e2d4f

SHA1
dfb9093f73243d58b30e98eb28dcb36aa61271b6

SHA256
ffb501ac472d9dd87a7deb8164d483bb25942039f6394d3075046271875273b9

SHA512
db8e4636fbd2a19389913eb22a6c7ef8be28ff57a6de236fae85c372f604064aa6ac9a5e5c8c0c35ef6d11b19145e62a4b9131e2f6f00577f793eca1c926a86e

Download Submit
memory/1432-2-0x00000295F7B30000-0x00000295F7B37000-memory.dmp

Filesize
28KB

Download
memory/1432-1-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1432-38-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1644-81-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1644-77-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/2824-66-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/2824-61-0x000001EC13670000-0x000001EC13677000-memory.dmp

Filesize
28KB

Download
memory/3452-15-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-26-0x00007FFA9A290000-0x00007FFA9A2A0000-memory.dmp

Filesize
64KB

Download
memory/3452-9-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-7-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-11-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-12-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-13-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-35-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-3-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/3452-5-0x00007FFA9A20A000-0x00007FFA9A20B000-memory.dmp

Filesize
4KB

Download
memory/3452-6-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-24-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-25-0x00007FFA9A2A0000-0x00007FFA9A2B0000-memory.dmp

Filesize
64KB

Download
memory/3452-8-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-10-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3452-23-0x0000000002B30000-0x0000000002B37000-memory.dmp

Filesize
28KB

Download
memory/3452-14-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3680-50-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3680-46-0x0000000140000000-0x00000001400ED000-memory.dmp

Filesize
948KB

Download
memory/3680-45-0x000002541A370000-0x000002541A377000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads