dridex | 9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3

General

Target

9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3.dll
Size

940KB
MD5

33542753fda57b6a2eb61fcf509298d3
SHA1

ae14ea0f0e01de7ef2f4ff2e60361f1065853616
SHA256

9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3
SHA512

f664c54e9f1efe596219f4abb442d93eae6723dd377739323b619d229b4d8ded802c6b4e5a22227b8498692a4faed9c83bf4e5b82ba1e1644520140b18c6eec3
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1268-4-0x0000000002A20000-0x0000000002A21000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/3024-1-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1268-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1268-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1268-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/3024-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2928-54-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2928-58-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2700-73-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1984-115-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizardElev.exemspaint.exeMpSigStub.exe

pid process

2928 BitLockerWizardElev.exe
2700 mspaint.exe
1984 MpSigStub.exe
Loads dropped DLL 7 IoCs

Processes:

BitLockerWizardElev.exemspaint.exeMpSigStub.exe

pid process

1268
2928 BitLockerWizardElev.exe
1268
2700 mspaint.exe
1268
1984 MpSigStub.exe
1268

pid	process
2928	BitLockerWizardElev.exe
2700	mspaint.exe
1984	MpSigStub.exe

pid	process
1268
2928	BitLockerWizardElev.exe
1268
2700	mspaint.exe
1268
1984	MpSigStub.exe
1268

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\8WuVuMm\\mspaint.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeBitLockerWizardElev.exemspaint.exeMpSigStub.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 2676	1268	BitLockerWizardElev.exe
PID 1268 wrote to memory of 2676	1268	BitLockerWizardElev.exe
PID 1268 wrote to memory of 2676	1268	BitLockerWizardElev.exe
PID 1268 wrote to memory of 2928	1268	BitLockerWizardElev.exe
PID 1268 wrote to memory of 2928	1268	BitLockerWizardElev.exe
PID 1268 wrote to memory of 2928	1268	BitLockerWizardElev.exe
PID 1268 wrote to memory of 2664	1268	mspaint.exe
PID 1268 wrote to memory of 2664	1268	mspaint.exe
PID 1268 wrote to memory of 2664	1268	mspaint.exe
PID 1268 wrote to memory of 2700	1268	mspaint.exe
PID 1268 wrote to memory of 2700	1268	mspaint.exe
PID 1268 wrote to memory of 2700	1268	mspaint.exe
PID 1268 wrote to memory of 1508	1268	MpSigStub.exe
PID 1268 wrote to memory of 1508	1268	MpSigStub.exe
PID 1268 wrote to memory of 1508	1268	MpSigStub.exe
PID 1268 wrote to memory of 1984	1268	MpSigStub.exe
PID 1268 wrote to memory of 1984	1268	MpSigStub.exe
PID 1268 wrote to memory of 1984	1268	MpSigStub.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2676

C:\Users\Admin\AppData\Local\PYt\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\PYt\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2928

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:2664

C:\Users\Admin\AppData\Local\1Ktt7EPdn\mspaint.exe
C:\Users\Admin\AppData\Local\1Ktt7EPdn\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2700

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:1508

C:\Users\Admin\AppData\Local\0wsL\MpSigStub.exe
C:\Users\Admin\AppData\Local\0wsL\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0wsL\MpSigStub.exe

Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
C:\Users\Admin\AppData\Local\0wsL\VERSION.dll

Filesize
944KB

MD5
901b6517a48e05a1a4cb12539cfbf896

SHA1
2db779f384a866bf0997e0b3081349faad0c3881

SHA256
2099c8a6a09b8c01bcbf4fb0e59c4427cc5c4b31b419e72baf854c75d08fecc2

SHA512
c6810e8a0a3a7bcfab78a89224aa7d80ed11d427bc5699b6583ad4d80a023233d363260fbe90bbde1ad12f5cd53524863405b836976587a417435bc35f3d165e

Download Submit
C:\Users\Admin\AppData\Local\1Ktt7EPdn\VERSION.dll

Filesize
944KB

MD5
61a4b74e6fee08b6824999dd94d4a778

SHA1
432bdcdd60cd064a924b4511fb2c81e435b87ca6

SHA256
2fed02c8dfc9a3191cff2495765694e70be21adcedc12797d276188ca7833a66

SHA512
f890bc7ae865f27005126fc7f5b2b9dbcf64b1afc1315d6550172d6ac1de2f5ffe48e8fb3e3d9446d7b580a26ff6c6cfb1c1c13185ebf7fd829199354b35e578

Download Submit
C:\Users\Admin\AppData\Local\PYt\FVEWIZ.dll

Filesize
944KB

MD5
cfed129ff81919a750c529fc975fa5e8

SHA1
3caa30acb469163034a1350f0530a4e411704829

SHA256
c57f6f3e21327fccd3decf28b17885abf2351064d93d5c65b5f7d2fba433a508

SHA512
a7709ff49a50dc4a84c4ec6ad3a0a303e963e408f0767385866468fb728771c134c770cd72490412961f73e3f4504c9633e28d6ff5eeea23b82dc196773d20c9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
5a83a94d800691e2bbcced4a69b0572e

SHA1
1e11ef3867c3c5fd1ab6ea0b46a824b15c6304e1

SHA256
12f4afc452efdbb6fbc9ee9fc059c208003148c95ff7bd7d31093381a7bf3326

SHA512
4538b330dd0f16a4bb92046e3d31ca52d90166cd5be9f2d46e9af346da10b3513e0c6e11469a7ec9e99fc6a5f123338e41ca9846a433437705ba185a713fdee4

Download Submit
\Users\Admin\AppData\Local\1Ktt7EPdn\mspaint.exe

Filesize
6.4MB

MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\PYt\BitLockerWizardElev.exe

Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
memory/1268-25-0x0000000077420000-0x0000000077422000-memory.dmp

Filesize
8KB

Download
memory/1268-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-26-0x0000000077450000-0x0000000077452000-memory.dmp

Filesize
8KB

Download
memory/1268-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-3-0x00000000770B6000-0x00000000770B7000-memory.dmp

Filesize
4KB

Download
memory/1268-45-0x00000000770B6000-0x00000000770B7000-memory.dmp

Filesize
4KB

Download
memory/1268-15-0x0000000002A00000-0x0000000002A07000-memory.dmp

Filesize
28KB

Download
memory/1268-16-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1268-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1268-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1984-115-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2700-73-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2928-58-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2928-54-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2928-53-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/3024-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3024-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/3024-1-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads