dridex | c857bf0ea218b0898ab1dd5a040f82764e2c425235e47df6e8a397cdad220ed8

General

Target

c857bf0ea218b0898ab1dd5a040f82764e2c425235e47df6e8a397cdad220ed8.dll
Size

964KB
MD5

f78235c59196a46c2d2e038800bdc8da
SHA1

868b5ae58f59ee0593388dccc5d720328520a76e
SHA256

c857bf0ea218b0898ab1dd5a040f82764e2c425235e47df6e8a397cdad220ed8
SHA512

5e1b7c716d60bac077b642db4eff4b2b5fb62675c8c7cd509803917ebd377e0af770acb64351e54aaa1b01f72b741157b8da13f9efee418157f5396763c56bfb
SSDEEP

12288:9PVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:9tKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-4-0x00000000024B0000-0x00000000024B1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2160-0-0x0000000140000000-0x00000001400F1000-memory.dmp	dridex_payload
behavioral1/memory/1236-24-0x0000000140000000-0x00000001400F1000-memory.dmp	dridex_payload
behavioral1/memory/1236-35-0x0000000140000000-0x00000001400F1000-memory.dmp	dridex_payload
behavioral1/memory/1236-36-0x0000000140000000-0x00000001400F1000-memory.dmp	dridex_payload
behavioral1/memory/2160-44-0x0000000140000000-0x00000001400F1000-memory.dmp	dridex_payload
behavioral1/memory/376-54-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral1/memory/376-58-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral1/memory/3028-75-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral1/memory/2816-87-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral1/memory/2816-91-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

TpmInit.exeWFS.exewinlogon.exe

pid process

376 TpmInit.exe
3028 WFS.exe
2816 winlogon.exe
Loads dropped DLL 7 IoCs

Processes:

TpmInit.exeWFS.exewinlogon.exe

pid process

1236
376 TpmInit.exe
1236
3028 WFS.exe
1236
2816 winlogon.exe
1236

pid	process
376	TpmInit.exe
3028	WFS.exe
2816	winlogon.exe

pid	process
1236
376	TpmInit.exe
1236
3028	WFS.exe
1236
2816	winlogon.exe
1236

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcbsdqtxprcnbm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\WV\\WFS.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

TpmInit.exeWFS.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeTpmInit.exe

pid	process
2160	regsvr32.exe
2160	regsvr32.exe
2160	regsvr32.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
376	TpmInit.exe
376	TpmInit.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1236 wrote to memory of 3008	1236	TpmInit.exe
PID 1236 wrote to memory of 3008	1236	TpmInit.exe
PID 1236 wrote to memory of 3008	1236	TpmInit.exe
PID 1236 wrote to memory of 376	1236	TpmInit.exe
PID 1236 wrote to memory of 376	1236	TpmInit.exe
PID 1236 wrote to memory of 376	1236	TpmInit.exe
PID 1236 wrote to memory of 1640	1236	WFS.exe
PID 1236 wrote to memory of 1640	1236	WFS.exe
PID 1236 wrote to memory of 1640	1236	WFS.exe
PID 1236 wrote to memory of 3028	1236	WFS.exe
PID 1236 wrote to memory of 3028	1236	WFS.exe
PID 1236 wrote to memory of 3028	1236	WFS.exe
PID 1236 wrote to memory of 2184	1236	winlogon.exe
PID 1236 wrote to memory of 2184	1236	winlogon.exe
PID 1236 wrote to memory of 2184	1236	winlogon.exe
PID 1236 wrote to memory of 2816	1236	winlogon.exe
PID 1236 wrote to memory of 2816	1236	winlogon.exe
PID 1236 wrote to memory of 2816	1236	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c857bf0ea218b0898ab1dd5a040f82764e2c425235e47df6e8a397cdad220ed8.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:3008

C:\Users\Admin\AppData\Local\4PT9\TpmInit.exe
C:\Users\Admin\AppData\Local\4PT9\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:376

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:1640

C:\Users\Admin\AppData\Local\P65u\WFS.exe
C:\Users\Admin\AppData\Local\P65u\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3028

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2184

C:\Users\Admin\AppData\Local\P7T\winlogon.exe
C:\Users\Admin\AppData\Local\P7T\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4PT9\Secur32.dll

Filesize
968KB

MD5
233bd896865f53869918bb8ef85af7b7

SHA1
027e1cca3c9329c3de5e670b60a327ad88f48b5b

SHA256
73903ed1894a88f536c952fe4362be23f7854ce3f0f7cb45167a62790850c12c

SHA512
a90b7e30612cb498f7f43680721da57c91e16b7cdbf7b601177d04a58b9c26848c7c738e43a67b8430b8d8fa7dac56a36f43df1b16ed96c010a5017ef7fbb8f1

Download Submit
C:\Users\Admin\AppData\Local\P65u\UxTheme.dll

Filesize
968KB

MD5
bcd3a5c69d0a801f351d055fd2fed317

SHA1
3dacb87c4e064b0b6318775b795d2653f88c134b

SHA256
ded16e901e3ae2343583a0143ab64ab1a620ec35260f259671ff7e2cff0eb4ca

SHA512
a316ca697b4fd9fe05a196425463b80227f373aca434c0e38c0f3c68da69c3bc22c3cd6d6c13ff86d64be93417430360cae99f8db7172a56b71e8ad2b4db72c1

Download Submit
C:\Users\Admin\AppData\Local\P7T\WINSTA.dll

Filesize
972KB

MD5
a43c51cfa0e79ea133a6d9626a37afb4

SHA1
7ec179868e4c576bacfcd716763091da5dc2d8f9

SHA256
b1c17fd26acca100b5f5e9c5f4f94fe41a7012227cb0d85a4f1c18eabc6d7cb4

SHA512
af8639b123b811f0940489d7b98a38fc56d0261eadb0918d02ef68a9a95fea97f632e4d9cebbe18a1c8e15995499f4ed97a9acdf48f2908760042aed88d05d71

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk

Filesize
1000B

MD5
2466ad2fce6ef240cf0e6c21a0cd28a7

SHA1
96f09f45eb462c18f384e05261b301c65422300e

SHA256
31def1f3e9c6277662423a58f5161d5df5d21b6c6d95914ef7b252daeb64baac

SHA512
1e6275af0852a317daac44daaf6463b60e81918905e1fd4075c6751e4b4a3aa1c1e36875a8f076d72ecf24f4425c7dacecce056b3a4507fae10cb2c8cfb8c307

Download Submit
\Users\Admin\AppData\Local\4PT9\TpmInit.exe

Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\P65u\WFS.exe

Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
\Users\Admin\AppData\Local\P7T\winlogon.exe

Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
memory/376-58-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/376-54-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/376-53-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1236-11-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-36-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-24-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-9-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-8-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-7-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-25-0x0000000077140000-0x0000000077142000-memory.dmp

Filesize
8KB

Download
memory/1236-26-0x0000000077170000-0x0000000077172000-memory.dmp

Filesize
8KB

Download
memory/1236-35-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-4-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1236-3-0x0000000076DD6000-0x0000000076DD7000-memory.dmp

Filesize
4KB

Download
memory/1236-45-0x0000000076DD6000-0x0000000076DD7000-memory.dmp

Filesize
4KB

Download
memory/1236-10-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-14-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-12-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-13-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-23-0x0000000002490000-0x0000000002497000-memory.dmp

Filesize
28KB

Download
memory/1236-15-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1236-6-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/2160-0-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/2160-44-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/2160-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2816-87-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/2816-91-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3028-75-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3028-70-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads