dridex | 29cc676374970636300ec1fe268c10af4871e25f4c9998546da9b6bb849012bd

General

Target

29cc676374970636300ec1fe268c10af4871e25f4c9998546da9b6bb849012bd.dll
Size

1.1MB
MD5

9689001d9fbd08bc63318734814455df
SHA1

e115f3a4b3723f3375a7e164356266ab08a88b68
SHA256

29cc676374970636300ec1fe268c10af4871e25f4c9998546da9b6bb849012bd
SHA512

99d01a67ba2e1fb465aefeb588df89847262bfcb3d8fb839cfc3a93c87f9b88955f94329a462530dacf90b49ffc54a4824e46063eb958234bd3095447ef645f7
SSDEEP

12288:VkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:VkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-4-0x0000000002600000-0x0000000002601000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2848-0-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1236-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1236-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1236-37-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2848-44-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2624-54-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2624-58-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2920-75-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2044-91-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

msra.exerdpshell.exeisoburn.exe

pid process

2624 msra.exe
2920 rdpshell.exe
2044 isoburn.exe
Loads dropped DLL 7 IoCs

Processes:

msra.exerdpshell.exeisoburn.exe

pid process

1236
2624 msra.exe
1236
2920 rdpshell.exe
1236
2044 isoburn.exe
1236

pid	process
2624	msra.exe
2920	rdpshell.exe
2044	isoburn.exe

pid	process
1236
2624	msra.exe
1236
2920	rdpshell.exe
1236
2044	isoburn.exe
1236

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\HS\\rdpshell.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msra.exerdpshell.exeisoburn.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2848	rundll32.exe
2848	rundll32.exe
2848	rundll32.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1236 wrote to memory of 2568	1236	msra.exe
PID 1236 wrote to memory of 2568	1236	msra.exe
PID 1236 wrote to memory of 2568	1236	msra.exe
PID 1236 wrote to memory of 2624	1236	msra.exe
PID 1236 wrote to memory of 2624	1236	msra.exe
PID 1236 wrote to memory of 2624	1236	msra.exe
PID 1236 wrote to memory of 2892	1236	rdpshell.exe
PID 1236 wrote to memory of 2892	1236	rdpshell.exe
PID 1236 wrote to memory of 2892	1236	rdpshell.exe
PID 1236 wrote to memory of 2920	1236	rdpshell.exe
PID 1236 wrote to memory of 2920	1236	rdpshell.exe
PID 1236 wrote to memory of 2920	1236	rdpshell.exe
PID 1236 wrote to memory of 2308	1236	isoburn.exe
PID 1236 wrote to memory of 2308	1236	isoburn.exe
PID 1236 wrote to memory of 2308	1236	isoburn.exe
PID 1236 wrote to memory of 2044	1236	isoburn.exe
PID 1236 wrote to memory of 2044	1236	isoburn.exe
PID 1236 wrote to memory of 2044	1236	isoburn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29cc676374970636300ec1fe268c10af4871e25f4c9998546da9b6bb849012bd.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:2568

C:\Users\Admin\AppData\Local\60t\msra.exe
C:\Users\Admin\AppData\Local\60t\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2624

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2892

C:\Users\Admin\AppData\Local\GKsIshQ\rdpshell.exe
C:\Users\Admin\AppData\Local\GKsIshQ\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2920

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:2308

C:\Users\Admin\AppData\Local\5FWZ\isoburn.exe
C:\Users\Admin\AppData\Local\5FWZ\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5FWZ\UxTheme.dll

Filesize
1.1MB

MD5
09a3f58ed72825ac417533af61b354ba

SHA1
82123210e3e5fc84c69b687fd1d44f15fdcf8fc7

SHA256
3e95cb69edc4a258c89497581a13d7a79baa24abee888d083042289c557a2abf

SHA512
8ed850ccbd9f6140c2fee84619a84b91f56f18894caa736cf3ff0ae3a8ce56c798975f3618e72dee478ee17cc13b20b7840bf11584ab96061392d375be830f2c

Download Submit
C:\Users\Admin\AppData\Local\60t\Secur32.dll

Filesize
1.1MB

MD5
ad009607200cd1a7f7d2a84ed6aeb7a5

SHA1
8fa6f71ca055d0ab2d47e97d1321cbdcef3c6855

SHA256
902cefee83ad9bc15d501d894d9e041014b19de7fb9d7a8d4b5b7525d173fd49

SHA512
eff2922960b19d25d201af24d07b8e2a5728ffe07949abcfde4bea2a166703e19468262cfdc2b6eed9a82a615559bb293bdb21f8c58ecd6161363874e5e484af

Download Submit
C:\Users\Admin\AppData\Local\GKsIshQ\WTSAPI32.dll

Filesize
1.1MB

MD5
2e8ba11fb5e3097830172e7807328e70

SHA1
aea8451d152c52520682fb04a8c238c4804dc75c

SHA256
501623fcb451bf3eee9fb3aea079ef8fe793293eb7b041418328804537313522

SHA512
fca7ee5979601c2278e20771763126dd7a455510b5f46726af056ddd4fa59f9660a493c6f319823853956cd901ed982eb40f7d953d5f1e73342ed3655f5db6e0

Download Submit
C:\Users\Admin\AppData\Local\GKsIshQ\rdpshell.exe

Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1KB

MD5
a8b1bad477e2f90d26013859f6593915

SHA1
8c503370171a74268de68b99323e8ce1b9cca443

SHA256
507f2c40446aa74afac9b3978d2ea3080cd36ccaf90c0b8f1239e3e189372984

SHA512
d5aafa8a6b4864055fa11cf39525a7981a650b02c7cd859da68b1821079838943e8b6073f91e1b0a4a58dda68dcc5a54252957893f7ca5699fa81f447ee7e207

Download Submit
\Users\Admin\AppData\Local\5FWZ\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\Users\Admin\AppData\Local\60t\msra.exe

Filesize
636KB

MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
memory/1236-25-0x0000000077D00000-0x0000000077D02000-memory.dmp

Filesize
8KB

Download
memory/1236-3-0x0000000077996000-0x0000000077997000-memory.dmp

Filesize
4KB

Download
memory/1236-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-26-0x0000000077D30000-0x0000000077D32000-memory.dmp

Filesize
8KB

Download
memory/1236-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-37-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-22-0x00000000025E0000-0x00000000025E7000-memory.dmp

Filesize
28KB

Download
memory/1236-45-0x0000000077996000-0x0000000077997000-memory.dmp

Filesize
4KB

Download
memory/1236-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1236-4-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1236-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2044-91-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2624-58-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2624-54-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2624-53-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2848-44-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2848-0-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2848-2-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/2920-72-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2920-75-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads