dridex | 6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b

General

Target

6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b.dll
Size

1.1MB
MD5

e6d1c2e5b87a7ed6ba3589239a6f4df1
SHA1

23b73577254af4ca38171c0414b44bdee8980c50
SHA256

6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b
SHA512

9c6be91ff095cc8828ae4aff713ceb20e098f81e49ba3a2e61c16b9c06d99bfb14604e5074811d2a0de176748b96a06f72ad0a3d3e8b21827d43eb087b1ecae8
SSDEEP

12288:4kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:4kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3540-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4952-1-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3540-23-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3540-34-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/4952-37-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/4044-44-0x0000000140000000-0x0000000140162000-memory.dmp	dridex_payload
behavioral2/memory/4044-49-0x0000000140000000-0x0000000140162000-memory.dmp	dridex_payload
behavioral2/memory/4712-60-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral2/memory/4712-65-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral2/memory/3996-76-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3996-80-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SysResetErr.exeFXSCOVER.exewusa.exe

pid process

4044 SysResetErr.exe
4712 FXSCOVER.exe
3996 wusa.exe
Loads dropped DLL 3 IoCs

Processes:

SysResetErr.exeFXSCOVER.exewusa.exe

pid process

4044 SysResetErr.exe
4712 FXSCOVER.exe
3996 wusa.exe

pid	process
4044	SysResetErr.exe
4712	FXSCOVER.exe
3996	wusa.exe

pid	process
4044	SysResetErr.exe
4712	FXSCOVER.exe
3996	wusa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\ZQNW9G~1\\FXSCOVER.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wusa.exerundll32.exeSysResetErr.exeFXSCOVER.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4952	rundll32.exe
4952	rundll32.exe
4952	rundll32.exe
4952	rundll32.exe
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3540 wrote to memory of 3640	3540	SysResetErr.exe
PID 3540 wrote to memory of 3640	3540	SysResetErr.exe
PID 3540 wrote to memory of 4044	3540	SysResetErr.exe
PID 3540 wrote to memory of 4044	3540	SysResetErr.exe
PID 3540 wrote to memory of 3028	3540	FXSCOVER.exe
PID 3540 wrote to memory of 3028	3540	FXSCOVER.exe
PID 3540 wrote to memory of 4712	3540	FXSCOVER.exe
PID 3540 wrote to memory of 4712	3540	FXSCOVER.exe
PID 3540 wrote to memory of 4492	3540	wusa.exe
PID 3540 wrote to memory of 4492	3540	wusa.exe
PID 3540 wrote to memory of 3996	3540	wusa.exe
PID 3540 wrote to memory of 3996	3540	wusa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:3640

C:\Users\Admin\AppData\Local\BKt2IIcsq\SysResetErr.exe
C:\Users\Admin\AppData\Local\BKt2IIcsq\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4044

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:3028

C:\Users\Admin\AppData\Local\caS1IE\FXSCOVER.exe
C:\Users\Admin\AppData\Local\caS1IE\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4712

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:4492

C:\Users\Admin\AppData\Local\Dy5raN\wusa.exe
C:\Users\Admin\AppData\Local\Dy5raN\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BKt2IIcsq\DUI70.dll

Filesize
1.4MB

MD5
72b55e014f0a0036033d17af992b1d3c

SHA1
69fd5182a34e928f2e9f05ef7d1a515d5d096ad3

SHA256
c985e3d37d5719a85a45ccb63fda9c27c4839d1df6e31421ae131701a505de62

SHA512
228a5393baa72ce57aac8c78fe71d927d8d62ae8ffd345b0485f633ae4bb244cb7267edf3560421e06da7d109f96828bb63ae46147bc46d1105d0ed6caabfe77

Download Submit
C:\Users\Admin\AppData\Local\BKt2IIcsq\SysResetErr.exe

Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\Dy5raN\WTSAPI32.dll

Filesize
1.1MB

MD5
b632ee33f9eceddd904f8848a1e995a3

SHA1
a9547d56b0ae5cb2d806bcbd229a26d541880f4f

SHA256
d9b2da0109901785d69aae5163f768424e3356d865c8947e729ed8a2c186584e

SHA512
e3fb48bb365de7b0ced35fa6babab27ada9bdc89a68b2913452788d099ee7ba558757dc876a3522cdd880ae5413c0beeb0c8f812432dc1c1b2149b8c93058a63

Download Submit
C:\Users\Admin\AppData\Local\Dy5raN\wusa.exe

Filesize
309KB

MD5
e43499ee2b4cf328a81bace9b1644c5d

SHA1
b2b55641f2799e3fdb3bea709c9532017bbac59d

SHA256
3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

SHA512
04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

Download Submit
C:\Users\Admin\AppData\Local\caS1IE\FXSCOVER.exe

Filesize
242KB

MD5
5769f78d00f22f76a4193dc720d0b2bd

SHA1
d62b6cab057e88737cba43fe9b0c6d11a28b53e8

SHA256
40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

SHA512
b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

Download Submit
C:\Users\Admin\AppData\Local\caS1IE\MFC42u.dll

Filesize
1.1MB

MD5
1e75c3e932bfb256167b05c79c582343

SHA1
0506c3bc9d50964a9098a7e7d134d547f019a198

SHA256
c094d7892085105604c98b5a984d209af6c885ea0b822f41f9846fa6a492a33c

SHA512
fa7fbd60ac6911ac936d452f65041298424aeaadafe1c29bcc56ac4cb0075e43e85b089f5caa4eb496b22ceff041887073876ffceea1f60d95fa8a29e18fbb36

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
2ec38624cfce7e68f1a02fbe440de801

SHA1
36c1ff839b4738af27d9a846c022eb1cea476f8e

SHA256
e71f6b33fd74a87a892ffbb932835c75dd7ab6c0a004225d92ef080fdeedb243

SHA512
7acf39ccf17c09c12b5f153c09763b318feb2706a658b9b35326da56b8f21ea7f8e0ea19f06f63c1ca5ef564d2b4f499b76f904dd9beacfdd10499bcc6beeb67

Download Submit
memory/3540-10-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-22-0x0000000000C60000-0x0000000000C67000-memory.dmp

Filesize
28KB

Download
memory/3540-23-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-34-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-25-0x00007FF81CA30000-0x00007FF81CA40000-memory.dmp

Filesize
64KB

Download
memory/3540-24-0x00007FF81CA40000-0x00007FF81CA50000-memory.dmp

Filesize
64KB

Download
memory/3540-9-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-12-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-8-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-7-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-6-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3540-11-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-5-0x00007FF81C06A000-0x00007FF81C06B000-memory.dmp

Filesize
4KB

Download
memory/3540-13-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-14-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3996-76-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3996-80-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/4044-49-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4044-44-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4044-46-0x0000027B43AD0000-0x0000027B43AD7000-memory.dmp

Filesize
28KB

Download
memory/4712-62-0x000001CEC9A10000-0x000001CEC9A17000-memory.dmp

Filesize
28KB

Download
memory/4712-60-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/4712-65-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/4952-1-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4952-37-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4952-2-0x000001F2807B0000-0x000001F2807B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads