dridex | e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8

General

Target

e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8.dll
Size

940KB
MD5

d63ff00d75923760db3db59ad66520ee
SHA1

698ef541cd9d32955422d8af16fdbc2437039bd0
SHA256

e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8
SHA512

347238b6dbe7c5a1b9e4610a5d3b2b9f93ca34a3999c21b1257ccec507bcb1a4d792164f6461fde911147b1cff20e817d575e7c7e10406b9c00fabaf0372b1e2
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1224-4-0x00000000024F0000-0x00000000024F1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2628-1-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1224-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1224-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1224-37-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2628-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1368-54-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1368-58-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2204-78-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/576-94-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rdpclip.exeVaultSysUi.exeddodiag.exe

pid process

1368 rdpclip.exe
2204 VaultSysUi.exe
576 ddodiag.exe
Loads dropped DLL 8 IoCs

Processes:

rdpclip.exeVaultSysUi.exeddodiag.exe

pid process

1224
1368 rdpclip.exe
1224
1224
2204 VaultSysUi.exe
1224
576 ddodiag.exe
1224

pid	process
1368	rdpclip.exe
2204	VaultSysUi.exe
576	ddodiag.exe

pid	process
1224
1368	rdpclip.exe
1224
1224
2204	VaultSysUi.exe
1224
576	ddodiag.exe
1224

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\8N3cANbo\\VaultSysUi.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exeVaultSysUi.exeddodiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1224 wrote to memory of 2972	1224	rdpclip.exe
PID 1224 wrote to memory of 2972	1224	rdpclip.exe
PID 1224 wrote to memory of 2972	1224	rdpclip.exe
PID 1224 wrote to memory of 1368	1224	rdpclip.exe
PID 1224 wrote to memory of 1368	1224	rdpclip.exe
PID 1224 wrote to memory of 1368	1224	rdpclip.exe
PID 1224 wrote to memory of 2076	1224	VaultSysUi.exe
PID 1224 wrote to memory of 2076	1224	VaultSysUi.exe
PID 1224 wrote to memory of 2076	1224	VaultSysUi.exe
PID 1224 wrote to memory of 2204	1224	VaultSysUi.exe
PID 1224 wrote to memory of 2204	1224	VaultSysUi.exe
PID 1224 wrote to memory of 2204	1224	VaultSysUi.exe
PID 1224 wrote to memory of 1268	1224	ddodiag.exe
PID 1224 wrote to memory of 1268	1224	ddodiag.exe
PID 1224 wrote to memory of 1268	1224	ddodiag.exe
PID 1224 wrote to memory of 576	1224	ddodiag.exe
PID 1224 wrote to memory of 576	1224	ddodiag.exe
PID 1224 wrote to memory of 576	1224	ddodiag.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2972

C:\Users\Admin\AppData\Local\L8ML8ivA0\rdpclip.exe
C:\Users\Admin\AppData\Local\L8ML8ivA0\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1368

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:2076

C:\Users\Admin\AppData\Local\CWQ\VaultSysUi.exe
C:\Users\Admin\AppData\Local\CWQ\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2204

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Po4HU0\ddodiag.exe
C:\Users\Admin\AppData\Local\Po4HU0\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CWQ\credui.dll

Filesize
944KB

MD5
6a692308039b9b36a255e484d4d295eb

SHA1
802262ed8dc250df846753ba5969e3e09834c185

SHA256
569f140a2cfd91ed3cebef13d7f1f19e9b8245adfd6c9a3049d0b328419ff523

SHA512
d409b041c88da52e79a6f43c45d47ced4726da61d6743b874a74f5aa17856897c943ca71215305c74142bb7cc5640759364f3034473a871bce6dc11e4ec87185

Download Submit
C:\Users\Admin\AppData\Local\L8ML8ivA0\WTSAPI32.dll

Filesize
944KB

MD5
e0d89b9d0bdb4b377ce5a74aca02bda3

SHA1
311b5bea61835a383988b6844c757afa76ae10c6

SHA256
d7db0fa9506d2051f87761032ee03a2aa1c7cea8862b8675092798821ccca5f4

SHA512
c92dc67ece62fc8016f434baa0caea715f320e0fa08ed08c0943b56ef787d43076bd2dde4156b02ed1264b1f6db3ad0ef89da01b74bbf52088c986787923fa7b

Download Submit
C:\Users\Admin\AppData\Local\Po4HU0\XmlLite.dll

Filesize
944KB

MD5
6cb1f7001a9932303269b9f1fce48e7c

SHA1
858fee5f0a68fa779428593448dbf5c917cec658

SHA256
1e9921f8a86037f2c0e134ce58ddbbc204ba5010934ca388c1c93779453b8adc

SHA512
5a9cb8f4db057a783f5bddef0e26af1896cee504198cd7baf565946a07cdd68e281e5b215b8eadb5be3b18d7573fb51f6b46d5e5afc027f3fe3425f936463006

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1KB

MD5
bdb03cbd3b64db15efce81d7fb87b77c

SHA1
035b9374fde76991d166f5ef81c011bb2bd64c1c

SHA256
ab92aefd59329e5388bac21d10d3d81fa6b361f1e0d57c67bef8d438c3da8140

SHA512
d4217e7630e04a24545480188579826a0cefdec71c63a3cf88b5f924a0e2e7dc4af7bfadb05250dd2bafbda6d70a645c3a65496ebb1c4570cd0af6b3778681da

Download Submit
\Users\Admin\AppData\Local\CWQ\VaultSysUi.exe

Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\L8ML8ivA0\rdpclip.exe

Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Local\Po4HU0\ddodiag.exe

Filesize
42KB

MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
memory/576-94-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1224-25-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

Filesize
8KB

Download
memory/1224-45-0x0000000077836000-0x0000000077837000-memory.dmp

Filesize
4KB

Download
memory/1224-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-3-0x0000000077836000-0x0000000077837000-memory.dmp

Filesize
4KB

Download
memory/1224-26-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/1224-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-37-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-4-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1224-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-23-0x00000000024D0000-0x00000000024D7000-memory.dmp

Filesize
28KB

Download
memory/1224-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1224-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1368-58-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1368-54-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1368-53-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2204-73-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2204-78-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2628-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2628-0-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2628-1-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads