dridex | fb1a305589018230311a426fea737ae107770eddc6441c497d02baac206d7110

General

Target

fb1a305589018230311a426fea737ae107770eddc6441c497d02baac206d7110.dll
Size

1.5MB
MD5

1e9ff1b997f023586284933ba6f950ab
SHA1

c90cc77bfb1453f9840d5687667a494e6fdea326
SHA256

fb1a305589018230311a426fea737ae107770eddc6441c497d02baac206d7110
SHA512

e75cf5e46b652125845a1efe8ab1086c08263c36f18fc103da01e0553b73a7c9601de888c09b940ae61cba1487202039b8e0b7b25e32e4c9286f50b9ef443fb2
SSDEEP

12288:1XBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:pB/Qn0rbD8UZUDtgIiemI51Mwtewkm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-4-0x0000000002D60000-0x0000000002D61000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1868-0-0x000007FEF6220000-0x000007FEF639F000-memory.dmp	dridex_payload
behavioral1/memory/1216-22-0x0000000140000000-0x000000014017F000-memory.dmp	dridex_payload
behavioral1/memory/1216-38-0x0000000140000000-0x000000014017F000-memory.dmp	dridex_payload
behavioral1/memory/1216-37-0x0000000140000000-0x000000014017F000-memory.dmp	dridex_payload
behavioral1/memory/1216-30-0x0000000140000000-0x000000014017F000-memory.dmp	dridex_payload
behavioral1/memory/1868-46-0x000007FEF6220000-0x000007FEF639F000-memory.dmp	dridex_payload
behavioral1/memory/2760-55-0x000007FEF5D00000-0x000007FEF5E80000-memory.dmp	dridex_payload
behavioral1/memory/2760-58-0x000007FEF5D00000-0x000007FEF5E80000-memory.dmp	dridex_payload
behavioral1/memory/2820-87-0x000007FEF5D00000-0x000007FEF5E80000-memory.dmp	dridex_payload
behavioral1/memory/1400-99-0x000007FEF5CC0000-0x000007FEF5E73000-memory.dmp	dridex_payload
behavioral1/memory/1400-103-0x000007FEF5CC0000-0x000007FEF5E73000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

mspaint.exeBitLockerWizard.exedpapimig.exe

pid process

2760 mspaint.exe
2820 BitLockerWizard.exe
1400 dpapimig.exe
Loads dropped DLL 7 IoCs

Processes:

mspaint.exeBitLockerWizard.exedpapimig.exe

pid process

1216
2760 mspaint.exe
1216
2820 BitLockerWizard.exe
1216
1400 dpapimig.exe
1216

pid	process
2760	mspaint.exe
2820	BitLockerWizard.exe
1400	dpapimig.exe

pid	process
1216
2760	mspaint.exe
1216
2820	BitLockerWizard.exe
1216
1400	dpapimig.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\Dkl\\BITLOC~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dpapimig.exerundll32.exemspaint.exeBitLockerWizard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1868	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 2524	1216	mspaint.exe
PID 1216 wrote to memory of 2524	1216	mspaint.exe
PID 1216 wrote to memory of 2524	1216	mspaint.exe
PID 1216 wrote to memory of 2760	1216	mspaint.exe
PID 1216 wrote to memory of 2760	1216	mspaint.exe
PID 1216 wrote to memory of 2760	1216	mspaint.exe
PID 1216 wrote to memory of 2796	1216	BitLockerWizard.exe
PID 1216 wrote to memory of 2796	1216	BitLockerWizard.exe
PID 1216 wrote to memory of 2796	1216	BitLockerWizard.exe
PID 1216 wrote to memory of 2820	1216	BitLockerWizard.exe
PID 1216 wrote to memory of 2820	1216	BitLockerWizard.exe
PID 1216 wrote to memory of 2820	1216	BitLockerWizard.exe
PID 1216 wrote to memory of 1712	1216	dpapimig.exe
PID 1216 wrote to memory of 1712	1216	dpapimig.exe
PID 1216 wrote to memory of 1712	1216	dpapimig.exe
PID 1216 wrote to memory of 1400	1216	dpapimig.exe
PID 1216 wrote to memory of 1400	1216	dpapimig.exe
PID 1216 wrote to memory of 1400	1216	dpapimig.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb1a305589018230311a426fea737ae107770eddc6441c497d02baac206d7110.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:2524

C:\Users\Admin\AppData\Local\5jM\mspaint.exe
C:\Users\Admin\AppData\Local\5jM\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2760

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\fNPqOcTn\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\fNPqOcTn\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2820

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1712

C:\Users\Admin\AppData\Local\wdFens\dpapimig.exe
C:\Users\Admin\AppData\Local\wdFens\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5jM\VERSION.dll

Filesize
1.5MB

MD5
79d77bd9184277773f5a64b5850ac98d

SHA1
aa518c8316dcba1b35af827db87a4460914fe09d

SHA256
47f373e2af01dadbb40b91d48cc0db94ed090cc5f5d8516f8a86d7135507fbdb

SHA512
35c4f7cc1a1cfeaa74b387b85e02888e1ffc158103f381d1bb2e7c1cf9fbed28c721742a3f7df67162e6b27c16d2f42e53280c95c66f92ffcdd3747a65634cea

Download Submit
C:\Users\Admin\AppData\Local\fNPqOcTn\FVEWIZ.dll

Filesize
1.5MB

MD5
450a96ced4b3a248c0364e4b011101c5

SHA1
2ed5acce490b46b708acaa423b9db92e7d9aaaf0

SHA256
2ed26ed47a5cf99bac189ff62629e274e6014010a68fbfaca35b5e4cb1ef0432

SHA512
2021e022a7698ea5c506ffa4ac0e6510348fa2d7307ff4f836bf36b31201a44647a37d5e63d555cf0bd636a1efd7d77a4f4a1629581486db814e78ec396a3c9a

Download Submit
C:\Users\Admin\AppData\Local\wdFens\DUI70.dll

Filesize
1.7MB

MD5
c7db637f982c729b643933b1950e3c9b

SHA1
4fbac7e6aad0e3c73323f080bf85aa5b91b390e7

SHA256
91a552cd979bf69c1f8a1588686e91e8f14a1d1e20cdcb4634d1787091392eef

SHA512
6ec753e01e4a1a3b47ef160620a179f33102787d962c5897fb843043fa457f8516eb93188cc7ad108ca61773a30f003b0c4674867f8e8de629eb2d397ddcd0c9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1024B

MD5
00f3af94d867160b039e55ee6441ca2b

SHA1
0f6b2aa2b5d5c19fb9aec4e41f3a4ddf3f57815a

SHA256
c54adf9f1c3cc2b626d0da9b1fb6c31d23370ba64a46128c37e69c06fffbccca

SHA512
29cc8c3f7f30e36bcf6202c80ff6a7cfc9a718cf6126627be3c0a7609f92ffa960677728689a480f35c3a344dd0c95b80b07c8334ea9644f603de79fc6defe53

Download Submit
\Users\Admin\AppData\Local\5jM\mspaint.exe

Filesize
6.4MB

MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\fNPqOcTn\BitLockerWizard.exe

Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
\Users\Admin\AppData\Local\wdFens\dpapimig.exe

Filesize
73KB

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
memory/1216-20-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-9-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-21-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-3-0x0000000077046000-0x0000000077047000-memory.dmp

Filesize
4KB

Download
memory/1216-18-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-32-0x00000000772E0000-0x00000000772E2000-memory.dmp

Filesize
8KB

Download
memory/1216-31-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/1216-16-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-38-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-37-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-30-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-13-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-15-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-14-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-12-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-11-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-10-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-22-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-8-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-29-0x0000000002D40000-0x0000000002D47000-memory.dmp

Filesize
28KB

Download
memory/1216-4-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/1216-47-0x0000000077046000-0x0000000077047000-memory.dmp

Filesize
4KB

Download
memory/1216-17-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-19-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-7-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1216-6-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1400-99-0x000007FEF5CC0000-0x000007FEF5E73000-memory.dmp

Filesize
1.7MB

Download
memory/1400-103-0x000007FEF5CC0000-0x000007FEF5E73000-memory.dmp

Filesize
1.7MB

Download
memory/1868-46-0x000007FEF6220000-0x000007FEF639F000-memory.dmp

Filesize
1.5MB

Download
memory/1868-0-0x000007FEF6220000-0x000007FEF639F000-memory.dmp

Filesize
1.5MB

Download
memory/1868-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2760-58-0x000007FEF5D00000-0x000007FEF5E80000-memory.dmp

Filesize
1.5MB

Download
memory/2760-55-0x000007FEF5D00000-0x000007FEF5E80000-memory.dmp

Filesize
1.5MB

Download
memory/2820-87-0x000007FEF5D00000-0x000007FEF5E80000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads