dridex | eb0b173b943bf9399a03852622eadadec68805c0d7176f41e0e621822e071724

General

Target

eb0b173b943bf9399a03852622eadadec68805c0d7176f41e0e621822e071724.dll
Size

1.5MB
MD5

a2f81479dcf22bbfa3ea600831b3daac
SHA1

cc7e7e2a99859fc8d06cc8ff59b0c1f7aea122c8
SHA256

eb0b173b943bf9399a03852622eadadec68805c0d7176f41e0e621822e071724
SHA512

cad46194da3ea931cc0487a0530b483a526edad634c01f1dbda52345779258dc66ca777821372e5d74516371ca32c192a164ddc6ce336e677f4dc663cef5f9a8
SSDEEP

12288:dXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:xB/Qn0rbD8UZUDtgIiemI51Mwtewkm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-4-0x0000000002F00000-0x0000000002F01000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2128-0-0x000007FEF5FA0000-0x000007FEF611F000-memory.dmp	dridex_payload
behavioral1/memory/1208-22-0x0000000140000000-0x000000014017F000-memory.dmp	dridex_payload
behavioral1/memory/1208-30-0x0000000140000000-0x000000014017F000-memory.dmp	dridex_payload
behavioral1/memory/1208-43-0x0000000140000000-0x000000014017F000-memory.dmp	dridex_payload
behavioral1/memory/1208-41-0x0000000140000000-0x000000014017F000-memory.dmp	dridex_payload
behavioral1/memory/2128-50-0x000007FEF5FA0000-0x000007FEF611F000-memory.dmp	dridex_payload
behavioral1/memory/2580-60-0x000007FEF5A40000-0x000007FEF5BF3000-memory.dmp	dridex_payload
behavioral1/memory/2580-64-0x000007FEF5A40000-0x000007FEF5BF3000-memory.dmp	dridex_payload
behavioral1/memory/1984-77-0x000007FEF5A70000-0x000007FEF5BF1000-memory.dmp	dridex_payload
behavioral1/memory/1984-81-0x000007FEF5A70000-0x000007FEF5BF1000-memory.dmp	dridex_payload
behavioral1/memory/2864-93-0x000007FEF5A80000-0x000007FEF5C00000-memory.dmp	dridex_payload
behavioral1/memory/2864-97-0x000007FEF5A80000-0x000007FEF5C00000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

StikyNot.exedpnsvr.exespreview.exe

pid process

2580 StikyNot.exe
1984 dpnsvr.exe
2864 spreview.exe
Loads dropped DLL 7 IoCs

Processes:

StikyNot.exedpnsvr.exespreview.exe

pid process

1208
2580 StikyNot.exe
1208
1984 dpnsvr.exe
1208
2864 spreview.exe
1208

pid	process
2580	StikyNot.exe
1984	dpnsvr.exe
2864	spreview.exe

pid	process
1208
2580	StikyNot.exe
1208
1984	dpnsvr.exe
1208
2864	spreview.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dnfwvyvycst = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\d4qcxkin\\dpnsvr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

StikyNot.exedpnsvr.exespreview.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeStikyNot.exe

pid	process
2128	rundll32.exe
2128	rundll32.exe
2128	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
2580	StikyNot.exe
2580	StikyNot.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 2640	1208	StikyNot.exe
PID 1208 wrote to memory of 2640	1208	StikyNot.exe
PID 1208 wrote to memory of 2640	1208	StikyNot.exe
PID 1208 wrote to memory of 2580	1208	StikyNot.exe
PID 1208 wrote to memory of 2580	1208	StikyNot.exe
PID 1208 wrote to memory of 2580	1208	StikyNot.exe
PID 1208 wrote to memory of 2176	1208	dpnsvr.exe
PID 1208 wrote to memory of 2176	1208	dpnsvr.exe
PID 1208 wrote to memory of 2176	1208	dpnsvr.exe
PID 1208 wrote to memory of 1984	1208	dpnsvr.exe
PID 1208 wrote to memory of 1984	1208	dpnsvr.exe
PID 1208 wrote to memory of 1984	1208	dpnsvr.exe
PID 1208 wrote to memory of 2044	1208	spreview.exe
PID 1208 wrote to memory of 2044	1208	spreview.exe
PID 1208 wrote to memory of 2044	1208	spreview.exe
PID 1208 wrote to memory of 2864	1208	spreview.exe
PID 1208 wrote to memory of 2864	1208	spreview.exe
PID 1208 wrote to memory of 2864	1208	spreview.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb0b173b943bf9399a03852622eadadec68805c0d7176f41e0e621822e071724.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:2640

C:\Users\Admin\AppData\Local\nZ5KVY\StikyNot.exe
C:\Users\Admin\AppData\Local\nZ5KVY\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:2176

C:\Users\Admin\AppData\Local\1Jm\dpnsvr.exe
C:\Users\Admin\AppData\Local\1Jm\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:2044

C:\Users\Admin\AppData\Local\u7sI3\spreview.exe
C:\Users\Admin\AppData\Local\u7sI3\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1Jm\WINMM.dll

Filesize
1.5MB

MD5
275e04d11c8452cae11aa7b921d9ccac

SHA1
f36ec4af65c5520c1e5206175b7401134fa6767b

SHA256
61fa4e75f85a4cf744f359d5efc64fc9efacd0c0345d8595c8ccc4de1e6e3d0a

SHA512
a7e4745522c5d2dad5e24ac84b592becae23b44eb2db5cbf9eebff2f8cb714d5ca37d9b8a19e3642892b4edcfbae320e5ce9baec0c50f28cae6045b32f48f9fa

Download Submit
C:\Users\Admin\AppData\Local\1Jm\dpnsvr.exe

Filesize
33KB

MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
C:\Users\Admin\AppData\Local\nZ5KVY\DUI70.dll

Filesize
1.7MB

MD5
1ffd37bf4565cfe535be906a28ef1fe6

SHA1
8095ac57890b0a20c048976b32fbd6a24ce6682d

SHA256
d972da2901f1724cb022d90717f66edd0ae628866f15e1c44cb23343bb358fbf

SHA512
e1b7eb927e78dd181f6b7ce43e8ca2efea975a02777e36e094b112f2d1c0e9932bdd2b20a7d9d754f3616742560f38105663fb51bf1cea0ba20c79150a00bd37

Download Submit
C:\Users\Admin\AppData\Local\nZ5KVY\StikyNot.exe

Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
C:\Users\Admin\AppData\Local\u7sI3\WINBRAND.dll

Filesize
1.5MB

MD5
e90c69cbb8bd351680e9d8512be91b67

SHA1
83c01f9c1abbd44a02b594717ac0b2ea8e488a6b

SHA256
f98fc70db4b8c11d93f266c477772b3fd3356f2b5f91fc785a0f1b22eab095ff

SHA512
7f9caacd2303278582203450dd26778cf85fd8c5c0530017659f1d76d510eda5701d9a86d69858627436019df89dd37020f980296873cb74312cb15a2cb8f871

Download Submit
C:\Users\Admin\AppData\Local\u7sI3\spreview.exe

Filesize
294KB

MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk

Filesize
1KB

MD5
0fe0c262563b817d1b37e7fe3e4e3012

SHA1
11e0ea2238ee96f180044b1271547ecd6fa8f535

SHA256
8785f939f8b57338d073c6f82054ce5a621d31e64d11291517dcfc27769f72cf

SHA512
f3694d74e5ec83af997bad8187b193f0cb1476b129814960899671e474a2542f68400d41a00d1b31ed4168217a18b547f8ffb849666bcddf7890944ed323f2c7

Download Submit
memory/1208-10-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-41-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-13-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-12-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-29-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1208-22-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-21-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-20-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-19-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-30-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-18-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-17-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-16-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-15-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-11-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-3-0x0000000076CC6000-0x0000000076CC7000-memory.dmp

Filesize
4KB

Download
memory/1208-32-0x0000000077060000-0x0000000077062000-memory.dmp

Filesize
8KB

Download
memory/1208-31-0x0000000077030000-0x0000000077032000-memory.dmp

Filesize
8KB

Download
memory/1208-43-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-14-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-4-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1208-51-0x0000000076CC6000-0x0000000076CC7000-memory.dmp

Filesize
4KB

Download
memory/1208-6-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-7-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-9-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1208-8-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1984-77-0x000007FEF5A70000-0x000007FEF5BF1000-memory.dmp

Filesize
1.5MB

Download
memory/1984-81-0x000007FEF5A70000-0x000007FEF5BF1000-memory.dmp

Filesize
1.5MB

Download
memory/1984-76-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2128-50-0x000007FEF5FA0000-0x000007FEF611F000-memory.dmp

Filesize
1.5MB

Download
memory/2128-0-0x000007FEF5FA0000-0x000007FEF611F000-memory.dmp

Filesize
1.5MB

Download
memory/2128-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2580-64-0x000007FEF5A40000-0x000007FEF5BF3000-memory.dmp

Filesize
1.7MB

Download
memory/2580-60-0x000007FEF5A40000-0x000007FEF5BF3000-memory.dmp

Filesize
1.7MB

Download
memory/2580-59-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2864-93-0x000007FEF5A80000-0x000007FEF5C00000-memory.dmp

Filesize
1.5MB

Download
memory/2864-97-0x000007FEF5A80000-0x000007FEF5C00000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads