dridex | 4aa9b7b5b577b6596e284ef74944718f3e790cbdda9f8fc30c065a545dab628a

General

Target

4aa9b7b5b577b6596e284ef74944718f3e790cbdda9f8fc30c065a545dab628a.dll
Size

1.1MB
MD5

47256612c3c8c8f506e0755af28551e8
SHA1

c72c90635b24feadcd786fef8cfe756eaa14b4cb
SHA256

4aa9b7b5b577b6596e284ef74944718f3e790cbdda9f8fc30c065a545dab628a
SHA512

c84b91c039127bf34c2bf3996fe5c044dbd34ca248f8117966d4a43582f4e87578b471675278a6f46ba20fe58856144c8498d435e4df15075a087a81815e0075
SSDEEP

12288:IkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:IkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2976-0-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1204-23-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1204-34-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/1204-36-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/2976-43-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral1/memory/2744-52-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2744-56-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2548-71-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1696-87-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

wisptis.exespreview.exeiexpress.exe

pid process

2744 wisptis.exe
2548 spreview.exe
1696 iexpress.exe
Loads dropped DLL 7 IoCs

Processes:

wisptis.exespreview.exeiexpress.exe

pid process

1204
2744 wisptis.exe
1204
2548 spreview.exe
1204
1696 iexpress.exe
1204

pid	process
2744	wisptis.exe
2548	spreview.exe
1696	iexpress.exe

pid	process
1204
2744	wisptis.exe
1204
2548	spreview.exe
1204
1696	iexpress.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\w6u1\\spreview.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewisptis.exespreview.exeiexpress.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2804	1204	wisptis.exe
PID 1204 wrote to memory of 2804	1204	wisptis.exe
PID 1204 wrote to memory of 2804	1204	wisptis.exe
PID 1204 wrote to memory of 2744	1204	wisptis.exe
PID 1204 wrote to memory of 2744	1204	wisptis.exe
PID 1204 wrote to memory of 2744	1204	wisptis.exe
PID 1204 wrote to memory of 2596	1204	spreview.exe
PID 1204 wrote to memory of 2596	1204	spreview.exe
PID 1204 wrote to memory of 2596	1204	spreview.exe
PID 1204 wrote to memory of 2548	1204	spreview.exe
PID 1204 wrote to memory of 2548	1204	spreview.exe
PID 1204 wrote to memory of 2548	1204	spreview.exe
PID 1204 wrote to memory of 2364	1204	iexpress.exe
PID 1204 wrote to memory of 2364	1204	iexpress.exe
PID 1204 wrote to memory of 2364	1204	iexpress.exe
PID 1204 wrote to memory of 1696	1204	iexpress.exe
PID 1204 wrote to memory of 1696	1204	iexpress.exe
PID 1204 wrote to memory of 1696	1204	iexpress.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4aa9b7b5b577b6596e284ef74944718f3e790cbdda9f8fc30c065a545dab628a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:2804

C:\Users\Admin\AppData\Local\7bi\wisptis.exe
C:\Users\Admin\AppData\Local\7bi\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2744

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:2596

C:\Users\Admin\AppData\Local\NdXlGC5\spreview.exe
C:\Users\Admin\AppData\Local\NdXlGC5\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2548

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2364

C:\Users\Admin\AppData\Local\QasLn\iexpress.exe
C:\Users\Admin\AppData\Local\QasLn\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7bi\slc.dll

Filesize
1.1MB

MD5
ad7083c50ef400509a79aa7988f40419

SHA1
cdfc5a2d01d09dd8fca0037d6faccf2b777ddf0f

SHA256
204a9c288d8cfe08a47d4df9cdc0a4f98141fc23a63a9ecd31b95d9a67e59413

SHA512
407535e5b57eb78b08f87ff3ffbdc8d243637f697330d4e5b23a0a0de01879a30857fbc32e0b125c20379510a9ff130f9615e0ae2890b11f744c1c760a626d4d

Download Submit
C:\Users\Admin\AppData\Local\7bi\wisptis.exe

Filesize
396KB

MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
C:\Users\Admin\AppData\Local\NdXlGC5\sqmapi.dll

Filesize
1.1MB

MD5
9ee780592d09fe87c8f0c01a455ea9a2

SHA1
2e2cf697d9d7422242d94faea6be05e8c01537b9

SHA256
0d31f60b41d90059707d5b54173d840df833a11e35f2979846b34fc8c858830d

SHA512
aa3b53a75c2745adfaaaa810e4bd6864eec77eb28c9bdd3e5c3cd535632a7b28df78407ffe4e676256b2ae3c0dbf00eb6ca95959dec95eeb5bafa3e4b555e618

Download Submit
C:\Users\Admin\AppData\Local\QasLn\VERSION.dll

Filesize
1.1MB

MD5
dc5192282c6104f511507d667e91b9d2

SHA1
9a6b7e23fd127f0d713bf31c297e11ee1137e108

SHA256
fe3c023d8919cd21654aac3a4ae20348403c69c8c306844bfc8191ee5e6693c1

SHA512
3531e3c6c5f767d55be8f516fcecfd47eac6d9f42dccecba2ef5ffddae489d3af91101172ffc6aa8e5314e052dc4f82d65d531d82c7be3f66910e5486c5ea4a9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
208e5ca6e07553b77575851ec84f3e73

SHA1
4f37eabcac0c4a310e70f77d20909c8bd426c49c

SHA256
0750cd2ec24d43d7b0d7da1d913b94d00cdea916ad5c0baa920703cb407b50b1

SHA512
de776de05f7e7e0430891d4bf800ce95bc135caa7f3aabe6083f34d4bf7417b1036f16c4245ea09ed4526f3d964e876b1f0aba4e8e67a60ec2ebd94a1fb7d24a

Download Submit
\Users\Admin\AppData\Local\NdXlGC5\spreview.exe

Filesize
294KB

MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\QasLn\iexpress.exe

Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
memory/1204-25-0x0000000077B40000-0x0000000077B42000-memory.dmp

Filesize
8KB

Download
memory/1204-44-0x00000000778A6000-0x00000000778A7000-memory.dmp

Filesize
4KB

Download
memory/1204-13-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-15-0x0000000002E90000-0x0000000002E97000-memory.dmp

Filesize
28KB

Download
memory/1204-14-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-8-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-7-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-23-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-24-0x0000000077B10000-0x0000000077B12000-memory.dmp

Filesize
8KB

Download
memory/1204-3-0x00000000778A6000-0x00000000778A7000-memory.dmp

Filesize
4KB

Download
memory/1204-34-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-36-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/1204-12-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-11-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-9-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-6-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-10-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1696-87-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2548-68-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2548-71-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2744-56-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2744-52-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2744-54-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/2976-43-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2976-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2976-0-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads