dridex | 92b4e93c7a975815e2adc790967b59c283aec15614dd14ef1cb1f3b9de5575d1

General

Target

92b4e93c7a975815e2adc790967b59c283aec15614dd14ef1cb1f3b9de5575d1.dll
Size

1.1MB
MD5

15815247242b43059aebf26e60e3256b
SHA1

35b9b6fc8eac16bf80665da6a3fbd4aca140c494
SHA256

92b4e93c7a975815e2adc790967b59c283aec15614dd14ef1cb1f3b9de5575d1
SHA512

d937b72eed31749bada0d69dbefcd27c528d05254369f174ce928f31b82dfb6fa5d54905d3e72d0b8825346423cba71d631de1903cbd7ca9f83e12c822fa2ed7
SSDEEP

12288:5kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64CR:5kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-4-0x0000000002A90000-0x0000000002A91000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2976-0-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1204-24-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1204-36-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/1204-35-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2976-44-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2748-53-0x0000000140000000-0x0000000140152000-memory.dmp	dridex_payload
behavioral1/memory/2748-58-0x0000000140000000-0x0000000140152000-memory.dmp	dridex_payload
behavioral1/memory/2580-71-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/2580-75-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/1152-91-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

Utilman.exep2phost.exerdpshell.exe

pid process

2748 Utilman.exe
2580 p2phost.exe
1152 rdpshell.exe
Loads dropped DLL 7 IoCs

Processes:

Utilman.exep2phost.exerdpshell.exe

pid process

1204
2748 Utilman.exe
1204
2580 p2phost.exe
1204
1152 rdpshell.exe
1204

pid	process
2748	Utilman.exe
2580	p2phost.exe
1152	rdpshell.exe

pid	process
1204
2748	Utilman.exe
1204
2580	p2phost.exe
1204
1152	rdpshell.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\KRo\\p2phost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Utilman.exep2phost.exerdpshell.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 588	1204	Utilman.exe
PID 1204 wrote to memory of 588	1204	Utilman.exe
PID 1204 wrote to memory of 588	1204	Utilman.exe
PID 1204 wrote to memory of 2748	1204	Utilman.exe
PID 1204 wrote to memory of 2748	1204	Utilman.exe
PID 1204 wrote to memory of 2748	1204	Utilman.exe
PID 1204 wrote to memory of 2552	1204	p2phost.exe
PID 1204 wrote to memory of 2552	1204	p2phost.exe
PID 1204 wrote to memory of 2552	1204	p2phost.exe
PID 1204 wrote to memory of 2580	1204	p2phost.exe
PID 1204 wrote to memory of 2580	1204	p2phost.exe
PID 1204 wrote to memory of 2580	1204	p2phost.exe
PID 1204 wrote to memory of 1696	1204	rdpshell.exe
PID 1204 wrote to memory of 1696	1204	rdpshell.exe
PID 1204 wrote to memory of 1696	1204	rdpshell.exe
PID 1204 wrote to memory of 1152	1204	rdpshell.exe
PID 1204 wrote to memory of 1152	1204	rdpshell.exe
PID 1204 wrote to memory of 1152	1204	rdpshell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\92b4e93c7a975815e2adc790967b59c283aec15614dd14ef1cb1f3b9de5575d1.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:588

C:\Users\Admin\AppData\Local\BXVuu6aQ0\Utilman.exe
C:\Users\Admin\AppData\Local\BXVuu6aQ0\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2748

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2552

C:\Users\Admin\AppData\Local\9PB\p2phost.exe
C:\Users\Admin\AppData\Local\9PB\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2580

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\pVP\rdpshell.exe
C:\Users\Admin\AppData\Local\pVP\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9PB\P2P.dll

Filesize
1.1MB

MD5
10f65822dd82271415b3ec3018cb409c

SHA1
98b76fc29dd32206934e51f0d3d641a958ac2db3

SHA256
f9a6898a84675d9d89fb90c73dbe49103aea849785c8459c7dfd545896c5d85c

SHA512
0c2398632af02a8dbffb9584b55885b37deb2fbf58653e63119b85517911d88c4db046654849a1dffe745b67138342bfb1b08f59f4b06ab1daba4c515cf92a99

Download Submit
C:\Users\Admin\AppData\Local\BXVuu6aQ0\DUI70.dll

Filesize
1.3MB

MD5
1e7c39801920ecce84266de5dfeafbaa

SHA1
d9ebbdd3dac88a495e3591569943f3cfabe28476

SHA256
ab83b9fd8ab36f61519e0db84c93224a63a8470666ded357ee2175a12b20fa70

SHA512
1b786b569cefdc9e418bbbc8e114878b55d5fa59ccdaddb70f2c068eec378d49895b0092d55d393b4d6d792c1c00913ce3ec27f9d01b4270500343184d4063ba

Download Submit
C:\Users\Admin\AppData\Local\pVP\WTSAPI32.dll

Filesize
1.1MB

MD5
4a763113d7c0445c76ea01e519f102e2

SHA1
3b322dcd7cd943bb8ea2b2383a409bab4b281754

SHA256
924a5355233355fddb5fa1af25862ebfede036c18844e5b195395acdaf643654

SHA512
b00b21b1d650d685d413c5db128d926a8f8c0c46a27e7ba48f31813ea1cecd454af55cf591c86b652b606dd0a5c583804006bc6eda6f075e4d6bd7cf2be54663

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
950B

MD5
f5753d1019eb28305ed347d4a9bba858

SHA1
3b0d78428b72efd990de090adc498814ae6aaa10

SHA256
aa4dc87bba47bfee39e6187eceb2edc6b242a9a58f7543c2150e5d6d0b1842f1

SHA512
ca9529ac86e06026d3754ed4b50616cf4d7c0d0e921e4ebc773b77e339c0c5987e74ce7c9ad71006ec193738dfbe8ce0917cf19257efae799eef750d8f95dc88

Download Submit
\Users\Admin\AppData\Local\9PB\p2phost.exe

Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\BXVuu6aQ0\Utilman.exe

Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
\Users\Admin\AppData\Local\pVP\rdpshell.exe

Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
memory/1152-91-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/1204-8-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-45-0x00000000778A6000-0x00000000778A7000-memory.dmp

Filesize
4KB

Download
memory/1204-12-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-13-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-16-0x0000000002A70000-0x0000000002A77000-memory.dmp

Filesize
28KB

Download
memory/1204-15-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-14-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-24-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-26-0x0000000077B40000-0x0000000077B42000-memory.dmp

Filesize
8KB

Download
memory/1204-25-0x0000000077B10000-0x0000000077B12000-memory.dmp

Filesize
8KB

Download
memory/1204-36-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-35-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-3-0x00000000778A6000-0x00000000778A7000-memory.dmp

Filesize
4KB

Download
memory/1204-4-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1204-11-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-10-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-6-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-7-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-9-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2580-70-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2580-71-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2580-75-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2748-58-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2748-55-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2748-53-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2976-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2976-44-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2976-0-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads