dridex | 1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a

General

Target

1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll
Size

940KB
MD5

e6ffe9204f9d5606d662bf6f355c3863
SHA1

1632dfd22740045fad5a1fa5149cde3eb694ae7c
SHA256

1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a
SHA512

e08cde0affdc24597bd0bbde592fb78afcba4b187d25d3bb0b72949b3a2825c5f8e62d1ef8cf23ce495167517f16516d7448909b538085101c317845b3159ea3
SSDEEP

12288:CPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:CtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-5-0x0000000002D00000-0x0000000002D01000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2168-0-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1208-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1208-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1208-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2168-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2092-54-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2092-58-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2696-74-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/832-90-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

Dxpserver.exeSystemPropertiesAdvanced.exeSystemPropertiesComputerName.exe

pid process

2092 Dxpserver.exe
2696 SystemPropertiesAdvanced.exe
832 SystemPropertiesComputerName.exe
Loads dropped DLL 7 IoCs

Processes:

Dxpserver.exeSystemPropertiesAdvanced.exeSystemPropertiesComputerName.exe

pid process

1208
2092 Dxpserver.exe
1208
2696 SystemPropertiesAdvanced.exe
1208
832 SystemPropertiesComputerName.exe
1208

pid	process
2092	Dxpserver.exe
2696	SystemPropertiesAdvanced.exe
832	SystemPropertiesComputerName.exe

pid	process
1208
2092	Dxpserver.exe
1208
2696	SystemPropertiesAdvanced.exe
1208
832	SystemPropertiesComputerName.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\RtAA\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesAdvanced.exeSystemPropertiesComputerName.exerundll32.exeDxpserver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeDxpserver.exe

pid	process
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
2092	Dxpserver.exe
2092	Dxpserver.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 2780	1208	Dxpserver.exe
PID 1208 wrote to memory of 2780	1208	Dxpserver.exe
PID 1208 wrote to memory of 2780	1208	Dxpserver.exe
PID 1208 wrote to memory of 2092	1208	Dxpserver.exe
PID 1208 wrote to memory of 2092	1208	Dxpserver.exe
PID 1208 wrote to memory of 2092	1208	Dxpserver.exe
PID 1208 wrote to memory of 2660	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2660	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2660	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2696	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2696	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2696	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2440	1208	SystemPropertiesComputerName.exe
PID 1208 wrote to memory of 2440	1208	SystemPropertiesComputerName.exe
PID 1208 wrote to memory of 2440	1208	SystemPropertiesComputerName.exe
PID 1208 wrote to memory of 832	1208	SystemPropertiesComputerName.exe
PID 1208 wrote to memory of 832	1208	SystemPropertiesComputerName.exe
PID 1208 wrote to memory of 832	1208	SystemPropertiesComputerName.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2780

C:\Users\Admin\AppData\Local\qAWt0\Dxpserver.exe
C:\Users\Admin\AppData\Local\qAWt0\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2092

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:2660

C:\Users\Admin\AppData\Local\hLcr\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\hLcr\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2696

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2440

C:\Users\Admin\AppData\Local\8dqIYNw6\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\8dqIYNw6\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8dqIYNw6\SYSDM.CPL

Filesize
944KB

MD5
8af31d8f492a2650bfd90b1d073a020c

SHA1
2ce178ff5f2df5b4ee86119119932973ff9a58ba

SHA256
6d60ed3a63ffcf0f84a6fb63066ed1d046ff1c9ac30a16b0eff14cc8ac875afc

SHA512
94b662c4342484641308bc291da91afaba8312b813633f02e39357fdee7f5ac7953e7884a355c7b16fe34418ad288f83ba3ebc6fc8077cf739966551ecdf6ca6

Download Submit
C:\Users\Admin\AppData\Local\hLcr\SYSDM.CPL

Filesize
944KB

MD5
74520a692e09474a8d79a9a7431fc7e5

SHA1
821ab346b9d79119d3fa09b5488add4b07cc841d

SHA256
b923927e5a5d1b26935343eacd1dc90f950a57c3e3cc45da23c917cdf09ed2a4

SHA512
1667d1dc0ef5cd00b7a61a65a2e39469afb1e19a121a847ca53c287279c440c9ae223e871a76ee0ca3e442e605510927a72d0c34498cf2a891dc93a443c699ee

Download Submit
C:\Users\Admin\AppData\Local\qAWt0\dwmapi.dll

Filesize
944KB

MD5
540a40bd6a481859044f711a376d7cf5

SHA1
a1d2a40d9e0d8f67057d1e7ab604296ea74372e1

SHA256
92c45224f1375aa4a7bd797a6e8ef0cb7fecd2356b733a523a311bc1e6f7ca34

SHA512
068cb8fa305cd8bea1109a8b742b8fee5c7621494e950063610e8c18dd800e73d1a7e5a2c18880239eb641098730b0d03c808110631533c597bcf7c39b85cb27

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
3712c821e1335abef9355977fcf65300

SHA1
0633162bc5318586a6a0d38e06260fabb30516bc

SHA256
e4ea1a8539aa83fc00bbffde3a38137f4cff700496933775ccb643e9777ec8aa

SHA512
2059bb246333b79ad2b10903e722d53541069209261cece5712a9a798278f401597dc10bbea975694fa55ae3caf3b012131dcd0a4a859124c149d6c9a8ac1a05

Download Submit
\Users\Admin\AppData\Local\8dqIYNw6\SystemPropertiesComputerName.exe

Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\hLcr\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\qAWt0\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
memory/832-90-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1208-26-0x0000000077790000-0x0000000077792000-memory.dmp

Filesize
8KB

Download
memory/1208-45-0x00000000774F6000-0x00000000774F7000-memory.dmp

Filesize
4KB

Download
memory/1208-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-3-0x00000000774F6000-0x00000000774F7000-memory.dmp

Filesize
4KB

Download
memory/1208-25-0x0000000077760000-0x0000000077762000-memory.dmp

Filesize
8KB

Download
memory/1208-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-5-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1208-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1208-23-0x0000000002CE0000-0x0000000002CE7000-memory.dmp

Filesize
28KB

Download
memory/2092-53-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2092-58-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2092-54-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2168-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2168-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2168-0-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/2696-74-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads