dridex | 5dd8bbc2a06f32e7ae85158d378bf1c6ca1a03c766d36a350329958f02a77ffd

General

Target

5dd8bbc2a06f32e7ae85158d378bf1c6ca1a03c766d36a350329958f02a77ffd.dll
Size

1.2MB
MD5

add78f4a51bc5a019c357ceb81094996
SHA1

1d908cdabfa232ac577ed7ad302a4e774aa472e0
SHA256

5dd8bbc2a06f32e7ae85158d378bf1c6ca1a03c766d36a350329958f02a77ffd
SHA512

83b3429bc0871d28c48db7db15d44fe65e7b02fa9609fd9b357f571059c466743fa355b88163e48d36c7e9c8f16ff03080781feb282a5770d51c8bf5ba545298
SSDEEP

12288:hPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8xy:htKTrsKSKBTSb6DUXWq8x

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3356-3-0x0000000002D40000-0x0000000002D41000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3512-2-0x0000000140000000-0x0000000140130000-memory.dmp	dridex_payload
behavioral2/memory/3356-35-0x0000000140000000-0x0000000140130000-memory.dmp	dridex_payload
behavioral2/memory/3356-24-0x0000000140000000-0x0000000140130000-memory.dmp	dridex_payload
behavioral2/memory/3512-38-0x0000000140000000-0x0000000140130000-memory.dmp	dridex_payload
behavioral2/memory/4504-45-0x0000000140000000-0x0000000140132000-memory.dmp	dridex_payload
behavioral2/memory/4504-50-0x0000000140000000-0x0000000140132000-memory.dmp	dridex_payload
behavioral2/memory/2872-66-0x0000000140000000-0x0000000140132000-memory.dmp	dridex_payload
behavioral2/memory/3772-77-0x0000000140000000-0x0000000140131000-memory.dmp	dridex_payload
behavioral2/memory/3772-81-0x0000000140000000-0x0000000140131000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exebdeunlock.exeOptionalFeatures.exe

pid process

4504 PresentationSettings.exe
2872 bdeunlock.exe
3772 OptionalFeatures.exe
Loads dropped DLL 3 IoCs

Processes:

PresentationSettings.exebdeunlock.exeOptionalFeatures.exe

pid process

4504 PresentationSettings.exe
2872 bdeunlock.exe
3772 OptionalFeatures.exe

pid	process
4504	PresentationSettings.exe
2872	bdeunlock.exe
3772	OptionalFeatures.exe

pid	process
4504	PresentationSettings.exe
2872	bdeunlock.exe
3772	OptionalFeatures.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qiqbxsgjw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\hGmf1\\bdeunlock.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exePresentationSettings.exebdeunlock.exeOptionalFeatures.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3512	rundll32.exe
3512	rundll32.exe
3512	rundll32.exe
3512	rundll32.exe
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3356

pid	process
3356

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3356 wrote to memory of 1036	3356	PresentationSettings.exe
PID 3356 wrote to memory of 1036	3356	PresentationSettings.exe
PID 3356 wrote to memory of 4504	3356	PresentationSettings.exe
PID 3356 wrote to memory of 4504	3356	PresentationSettings.exe
PID 3356 wrote to memory of 5092	3356	bdeunlock.exe
PID 3356 wrote to memory of 5092	3356	bdeunlock.exe
PID 3356 wrote to memory of 2872	3356	bdeunlock.exe
PID 3356 wrote to memory of 2872	3356	bdeunlock.exe
PID 3356 wrote to memory of 3488	3356	OptionalFeatures.exe
PID 3356 wrote to memory of 3488	3356	OptionalFeatures.exe
PID 3356 wrote to memory of 3772	3356	OptionalFeatures.exe
PID 3356 wrote to memory of 3772	3356	OptionalFeatures.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5dd8bbc2a06f32e7ae85158d378bf1c6ca1a03c766d36a350329958f02a77ffd.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3512

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:1036

C:\Users\Admin\AppData\Local\XHy0HD\PresentationSettings.exe
C:\Users\Admin\AppData\Local\XHy0HD\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4504

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:5092

C:\Users\Admin\AppData\Local\XM3\bdeunlock.exe
C:\Users\Admin\AppData\Local\XM3\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2872

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:3488

C:\Users\Admin\AppData\Local\d2d9C5Qhz\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\d2d9C5Qhz\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\XHy0HD\PresentationSettings.exe

Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\XHy0HD\WINMM.dll

Filesize
1.2MB

MD5
c065b71de2701e39b4fb3142e2146359

SHA1
7039a1974bf31c2c9521bd88e30b360815840f68

SHA256
fb6bc9c87478d89386118e6edb5b85b30fe2628632c71a200b575ba20419342e

SHA512
1a007f64690bf8b94098b8c88e17b3581c5cfac490ceacc71cc81a4c484e8dd210f8db75dc29fa3d3cccdd080285e7f293ecc9414e3c26319cd5db82e30fd3e4

Download Submit
C:\Users\Admin\AppData\Local\XM3\DUser.dll

Filesize
1.2MB

MD5
6752b1457e51d1ecdb87e4581ccbc1a6

SHA1
3615e0d0e545324cf690902c91dfb9f1eec75d63

SHA256
a2b6eb30613ddc8eb3a4541813f2b54346486364028a9619c9d2a54eb9dd6a41

SHA512
33ca56734f3ec3ca33b12316e57175ccb6142a733bf5b97e8fbee2871f26407f373d88c47ac72f2af0cd283ac728c9bf70685e2e5301c6cd7052722534b37dd0

Download Submit
C:\Users\Admin\AppData\Local\XM3\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\d2d9C5Qhz\OptionalFeatures.exe

Filesize
110KB

MD5
d6cd8bef71458804dbc33b88ace56372

SHA1
a18b58445be2492c5d37abad69b5aa0d29416a60

SHA256
fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

SHA512
1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

Download Submit
C:\Users\Admin\AppData\Local\d2d9C5Qhz\appwiz.cpl

Filesize
1.2MB

MD5
cb0953a424a3e1ac635037ebf558beac

SHA1
46a48cd8a470ce58bc49f9b0150262abae84494d

SHA256
cf55dd1120b790ec973f9d2df8fc293c8c50e38be8f4ccf2e2755b580107569e

SHA512
0f7eec39d07ee055344c05b2fe7b1ac2faf824477c15929b6c78fca3094da74fe2b92f3f5c224bd9dd85c29dd587f1b255345cfa5bc2353cc3e513a0aedc8847

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk

Filesize
1KB

MD5
1c854d2c65583b45d10a951187fb36ef

SHA1
40fd88495bed40d389b4623a9462e42600a316c5

SHA256
422ff1eb5b6aea17769820f4fb5cef55fd859c84ca540e7770052ce8fbf94685

SHA512
abce4a1491ffc19c4ad87e95d79dc633932f43aec258f0aacae6376297cf2c57f3c5dc248e3c270f288109ebc06e4e9eca044e31de5e612735ca054c703a054f

Download Submit
memory/2872-66-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2872-63-0x000002637CD70000-0x000002637CD77000-memory.dmp

Filesize
28KB

Download
memory/3356-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-26-0x00007FFDDAD30000-0x00007FFDDAD40000-memory.dmp

Filesize
64KB

Download
memory/3356-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-23-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

Filesize
28KB

Download
memory/3356-3-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/3356-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-25-0x00007FFDDAD40000-0x00007FFDDAD50000-memory.dmp

Filesize
64KB

Download
memory/3356-5-0x00007FFDD935A000-0x00007FFDD935B000-memory.dmp

Filesize
4KB

Download
memory/3356-6-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3356-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-0-0x0000019989280000-0x0000019989287000-memory.dmp

Filesize
28KB

Download
memory/3512-38-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-2-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3772-77-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3772-81-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4504-50-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/4504-47-0x000001A9C3140000-0x000001A9C3147000-memory.dmp

Filesize
28KB

Download
memory/4504-45-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads