dridex | 2cb40d63d23cb6e223f8b6bc7562e3e24f3681110670ff7e27eb82f22031e616

General

Target

2cb40d63d23cb6e223f8b6bc7562e3e24f3681110670ff7e27eb82f22031e616.dll
Size

1.3MB
MD5

78cd435c2bb78c951eb88ade80c5c5fe
SHA1

c3c5629d2b6dad9a6e91b917829b3815ec8eaa7a
SHA256

2cb40d63d23cb6e223f8b6bc7562e3e24f3681110670ff7e27eb82f22031e616
SHA512

ac4221b69e7ffa70660d891af300cfeba463c1cd3f3581529f9b6c94c88d9e547a7df2f2c21e499a3034044d76452da42f7bbc041c9787629f75f7c8b1a97689
SSDEEP

12288:JXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:FB/Qn0rbD8UZUDtgIiemI51Mwtewkm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3436-3-0x00000000009A0000-0x00000000009A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2420-1-0x00007FFB532F0000-0x00007FFB5343A000-memory.dmp	dridex_payload
behavioral2/memory/3436-21-0x0000000140000000-0x000000014014A000-memory.dmp	dridex_payload
behavioral2/memory/3436-29-0x0000000140000000-0x000000014014A000-memory.dmp	dridex_payload
behavioral2/memory/3436-40-0x0000000140000000-0x000000014014A000-memory.dmp	dridex_payload
behavioral2/memory/2420-43-0x00007FFB532F0000-0x00007FFB5343A000-memory.dmp	dridex_payload
behavioral2/memory/1224-52-0x00007FFB565B0000-0x00007FFB566FB000-memory.dmp	dridex_payload
behavioral2/memory/1224-55-0x00007FFB565B0000-0x00007FFB566FB000-memory.dmp	dridex_payload
behavioral2/memory/2212-71-0x00007FFB565B0000-0x00007FFB566FB000-memory.dmp	dridex_payload
behavioral2/memory/372-82-0x00007FFB565A0000-0x00007FFB566F1000-memory.dmp	dridex_payload
behavioral2/memory/372-86-0x00007FFB565A0000-0x00007FFB566F1000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

ie4uinit.exerdpclip.exeshrpubw.exe

pid process

1224 ie4uinit.exe
2212 rdpclip.exe
372 shrpubw.exe
Loads dropped DLL 3 IoCs

Processes:

ie4uinit.exerdpclip.exeshrpubw.exe

pid process

1224 ie4uinit.exe
2212 rdpclip.exe
372 shrpubw.exe

pid	process
1224	ie4uinit.exe
2212	rdpclip.exe
372	shrpubw.exe

pid	process
1224	ie4uinit.exe
2212	rdpclip.exe
372	shrpubw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qhmytabp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\Db0wCK\\rdpclip.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeie4uinit.exerdpclip.exeshrpubw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2420	rundll32.exe
2420	rundll32.exe
2420	rundll32.exe
2420	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3436
3436

pid	process
3436
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3436 wrote to memory of 3076	3436	ie4uinit.exe
PID 3436 wrote to memory of 3076	3436	ie4uinit.exe
PID 3436 wrote to memory of 1224	3436	ie4uinit.exe
PID 3436 wrote to memory of 1224	3436	ie4uinit.exe
PID 3436 wrote to memory of 3616	3436	rdpclip.exe
PID 3436 wrote to memory of 3616	3436	rdpclip.exe
PID 3436 wrote to memory of 2212	3436	rdpclip.exe
PID 3436 wrote to memory of 2212	3436	rdpclip.exe
PID 3436 wrote to memory of 3540	3436	shrpubw.exe
PID 3436 wrote to memory of 3540	3436	shrpubw.exe
PID 3436 wrote to memory of 372	3436	shrpubw.exe
PID 3436 wrote to memory of 372	3436	shrpubw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2cb40d63d23cb6e223f8b6bc7562e3e24f3681110670ff7e27eb82f22031e616.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:3076

C:\Users\Admin\AppData\Local\xuOkYJCT\ie4uinit.exe
C:\Users\Admin\AppData\Local\xuOkYJCT\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1224

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:3616

C:\Users\Admin\AppData\Local\I6odbPrl\rdpclip.exe
C:\Users\Admin\AppData\Local\I6odbPrl\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2212

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:3540

C:\Users\Admin\AppData\Local\aQNaj\shrpubw.exe
C:\Users\Admin\AppData\Local\aQNaj\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\I6odbPrl\dwmapi.dll

Filesize
1.3MB

MD5
09ebef8ec754fef3ba7445697ac1d8ad

SHA1
46f6fe5abc5882d20ed5abe2703c6f85500b82e2

SHA256
817552d23360af5c5b32db8f0bada0b52828677d381a77eecf9b06e9fb733ce9

SHA512
97e249d18595f5dfc883a485203acc1c38b5a49238a2c340b058fafc1357739cb182c913dd9fd6195d1cd246ec858be0fa82c1500378396c02fd689c6fb0ce1e

Download Submit
C:\Users\Admin\AppData\Local\I6odbPrl\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Local\aQNaj\MFC42u.dll

Filesize
1.3MB

MD5
005233d6092ab18534afa04b21d8c19e

SHA1
51f6fcd2e338076d9f8f0021461d6aae09892544

SHA256
5c8de00400a4757e688314e70dd2ead55c91ef259c1de6d2cecbf2e485df0717

SHA512
d3bba83b50379589276bd179ae8f871bc5a3a2905efd6050b8f7d84db0cbecbdf33c8f62274b2d65864844cab067cbcabc933b7b5b73ce495c364e2fe798c3e0

Download Submit
C:\Users\Admin\AppData\Local\aQNaj\shrpubw.exe

Filesize
59KB

MD5
9910d5c62428ec5f92b04abf9428eec9

SHA1
05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

SHA256
6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

SHA512
01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

Download Submit
C:\Users\Admin\AppData\Local\xuOkYJCT\VERSION.dll

Filesize
1.3MB

MD5
92b6ab49e758cf04b0923ac4672da9d9

SHA1
63882626020a7bca567a37b4923ca0cdf4300908

SHA256
4e2e0d26284e9fa00fcfd717b2ba49187ce86b47eb3c70023ec2312e25c49c79

SHA512
d3425bbb94674b474be5dbdc2ccb2a2c96540a2335717d9f2ecd74db5993e711ecbb3a63b282b9292cc53af0fd8c6ba2827c27a6ec774c19dd5d841cb0d0403e

Download Submit
C:\Users\Admin\AppData\Local\xuOkYJCT\ie4uinit.exe

Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk

Filesize
1KB

MD5
c4684a846cd73736281c25c2d5c3a07c

SHA1
9f95e5bbdc3c7962bb3ee9b690b315307bef1eb9

SHA256
e1f3a65a63f6ad0025ae2e3c0228d913a3276bb52446d41daa11ba432e96155f

SHA512
d1c189bc3551b68dbdb89095e6e5f990903b4d8673c664dd8a4f0eace67e31a33e0293a75e5f922e3ea2cdc959b1bbacf6c218104ac97c94b30f504c89cae428

Download Submit
memory/372-86-0x00007FFB565A0000-0x00007FFB566F1000-memory.dmp

Filesize
1.3MB

Download
memory/372-82-0x00007FFB565A0000-0x00007FFB566F1000-memory.dmp

Filesize
1.3MB

Download
memory/1224-55-0x00007FFB565B0000-0x00007FFB566FB000-memory.dmp

Filesize
1.3MB

Download
memory/1224-52-0x00007FFB565B0000-0x00007FFB566FB000-memory.dmp

Filesize
1.3MB

Download
memory/1224-50-0x000002D6143B0000-0x000002D6143B7000-memory.dmp

Filesize
28KB

Download
memory/2212-68-0x000001A3FF1E0000-0x000001A3FF1E7000-memory.dmp

Filesize
28KB

Download
memory/2212-71-0x00007FFB565B0000-0x00007FFB566FB000-memory.dmp

Filesize
1.3MB

Download
memory/2420-0-0x00000200A5920000-0x00000200A5927000-memory.dmp

Filesize
28KB

Download
memory/2420-43-0x00007FFB532F0000-0x00007FFB5343A000-memory.dmp

Filesize
1.3MB

Download
memory/2420-1-0x00007FFB532F0000-0x00007FFB5343A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-40-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-18-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-10-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-9-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-8-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-7-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-17-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-6-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-12-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-14-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-16-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-11-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-19-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-20-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-30-0x00007FFB656A0000-0x00007FFB656B0000-memory.dmp

Filesize
64KB

Download
memory/3436-31-0x00007FFB65690000-0x00007FFB656A0000-memory.dmp

Filesize
64KB

Download
memory/3436-29-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-28-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/3436-21-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-15-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-13-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-5-0x00007FFB649CA000-0x00007FFB649CB000-memory.dmp

Filesize
4KB

Download
memory/3436-3-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads