dridex | 2c7566a218824ff9c74582e59b3ee42f1c5c780ebb721b145e05baf2b36e499e

General

Target

2c7566a218824ff9c74582e59b3ee42f1c5c780ebb721b145e05baf2b36e499e.dll
Size

1.1MB
MD5

41f473abe15c43835fe74461cbe40ee7
SHA1

e15b1de311c779e53e83c87f743eb710d660aa91
SHA256

2c7566a218824ff9c74582e59b3ee42f1c5c780ebb721b145e05baf2b36e499e
SHA512

7dab20ca04e4e3e517c255961c8ac301664e8e9b48e9ab0d2f012b161a2a88422d597c8a9ff082d4d50d58c2c57c1c340390720539f8188e845d92b5e0e7ec70
SSDEEP

12288:4kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:4kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3520-3-0x0000000002AB0000-0x0000000002AB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4540-2-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral2/memory/3520-35-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral2/memory/3520-24-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral2/memory/4540-38-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral2/memory/772-45-0x0000000140000000-0x0000000140169000-memory.dmp	dridex_payload
behavioral2/memory/772-50-0x0000000140000000-0x0000000140169000-memory.dmp	dridex_payload
behavioral2/memory/2376-66-0x0000000140000000-0x000000014012A000-memory.dmp	dridex_payload
behavioral2/memory/2376-61-0x0000000140000000-0x000000014012A000-memory.dmp	dridex_payload
behavioral2/memory/644-79-0x0000000140000000-0x0000000140124000-memory.dmp	dridex_payload
behavioral2/memory/644-83-0x0000000140000000-0x0000000140124000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

bdechangepin.exeDevicePairingWizard.exeApplySettingsTemplateCatalog.exe

pid process

772 bdechangepin.exe
2376 DevicePairingWizard.exe
644 ApplySettingsTemplateCatalog.exe
Loads dropped DLL 3 IoCs

Processes:

bdechangepin.exeDevicePairingWizard.exeApplySettingsTemplateCatalog.exe

pid process

772 bdechangepin.exe
2376 DevicePairingWizard.exe
644 ApplySettingsTemplateCatalog.exe

pid	process
772	bdechangepin.exe
2376	DevicePairingWizard.exe
644	ApplySettingsTemplateCatalog.exe

pid	process
772	bdechangepin.exe
2376	DevicePairingWizard.exe
644	ApplySettingsTemplateCatalog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmqwm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\GqmOkZ\\DEVICE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exebdechangepin.exeDevicePairingWizard.exeApplySettingsTemplateCatalog.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4540	rundll32.exe
4540	rundll32.exe
4540	rundll32.exe
4540	rundll32.exe
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3520

pid	process
3520

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3520 wrote to memory of 348	3520	bdechangepin.exe
PID 3520 wrote to memory of 348	3520	bdechangepin.exe
PID 3520 wrote to memory of 772	3520	bdechangepin.exe
PID 3520 wrote to memory of 772	3520	bdechangepin.exe
PID 3520 wrote to memory of 3208	3520	DevicePairingWizard.exe
PID 3520 wrote to memory of 3208	3520	DevicePairingWizard.exe
PID 3520 wrote to memory of 2376	3520	DevicePairingWizard.exe
PID 3520 wrote to memory of 2376	3520	DevicePairingWizard.exe
PID 3520 wrote to memory of 2464	3520	ApplySettingsTemplateCatalog.exe
PID 3520 wrote to memory of 2464	3520	ApplySettingsTemplateCatalog.exe
PID 3520 wrote to memory of 644	3520	ApplySettingsTemplateCatalog.exe
PID 3520 wrote to memory of 644	3520	ApplySettingsTemplateCatalog.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c7566a218824ff9c74582e59b3ee42f1c5c780ebb721b145e05baf2b36e499e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4540

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:348

C:\Users\Admin\AppData\Local\8gX\bdechangepin.exe
C:\Users\Admin\AppData\Local\8gX\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:772

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:3208

C:\Users\Admin\AppData\Local\Nywx9n\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\Nywx9n\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2376

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:2464

C:\Users\Admin\AppData\Local\n87yPpx\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\n87yPpx\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8gX\DUI70.dll

Filesize
1.4MB

MD5
91161f6d968e26374707231ab1aee970

SHA1
28f02a16a16a943e68b06d14283b0977338237f8

SHA256
ddf427a62b5162128a772198b76cb700f4a78caad70591c9803fec6db6e67865

SHA512
0fec973ef0fa3e7a454eca118289448bf6a1de3e2d5fbcfc260b645477d6d0887aa17f193d878091a22738ff69489f05eafeb6f91b98a05d0931a2b97943263c

Download Submit
C:\Users\Admin\AppData\Local\8gX\bdechangepin.exe

Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Local\Nywx9n\DevicePairingWizard.exe

Filesize
93KB

MD5
d0e40a5a0c7dad2d6e5040d7fbc37533

SHA1
b0eabbd37a97a1abcd90bd56394f5c45585699eb

SHA256
2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

SHA512
1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

Download Submit
C:\Users\Admin\AppData\Local\Nywx9n\MFC42u.dll

Filesize
1.2MB

MD5
056ea58e443aafe046e42d3713bc3edf

SHA1
f19dc811f96e4825c105ea8099342833bcea57a8

SHA256
3bf90d573f18aa959c620499ce8dae40ac305a47a6115e7fc6cdaf95bc10abd8

SHA512
81193165729248f574993b6b7f5a8fddadbe8d17b71df1aa0e90991b190e3bc508d2b48e7976260e8bfdd77de5bb01b7e9277f51426421fb6976a1f31db91d6f

Download Submit
C:\Users\Admin\AppData\Local\n87yPpx\ACTIVEDS.dll

Filesize
1.1MB

MD5
19f67a205215decd5a76e9584a001146

SHA1
2c13dc386a82b0e28c52ffafa31b341da67dc982

SHA256
a60a67219c6fddbbcf00718070363604deb9441184353a781797b289ff3c9df5

SHA512
d2e664c37843e4e3f8e5e77282d93f4a8183a148d07c59fb45d18615124657b0661eeee41d2a233eb72871419eda97cdd48d80f31b5b0dfa72607d884ffb7e24

Download Submit
C:\Users\Admin\AppData\Local\n87yPpx\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk

Filesize
1KB

MD5
e9f2339710dd904d8d6eae0e1f693310

SHA1
a81806ec4f72ab5b694849717901be84912f0966

SHA256
5117c5988ea81f46713d7e389ad11638f6d0d87bc6831575e8bd5453bd6baaad

SHA512
d94b9929e2f48bff2bc624beddb093d54f20ef2c5b3a308257d497879dfce92a72611169c0bcbab804755e3c559234491eba0a2b55844a2335bd1196588af8e0

Download Submit
memory/644-79-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/644-83-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/772-50-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/772-47-0x0000021DB8ED0000-0x0000021DB8ED7000-memory.dmp

Filesize
28KB

Download
memory/772-45-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2376-63-0x00000234EB3A0000-0x00000234EB3A7000-memory.dmp

Filesize
28KB

Download
memory/2376-66-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/2376-61-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/3520-11-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-9-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-35-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-24-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-5-0x00007FFEC769A000-0x00007FFEC769B000-memory.dmp

Filesize
4KB

Download
memory/3520-26-0x00007FFEC8390000-0x00007FFEC83A0000-memory.dmp

Filesize
64KB

Download
memory/3520-6-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-7-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-8-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-25-0x00007FFEC83A0000-0x00007FFEC83B0000-memory.dmp

Filesize
64KB

Download
memory/3520-10-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-15-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-3-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/3520-12-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-23-0x0000000002470000-0x0000000002477000-memory.dmp

Filesize
28KB

Download
memory/3520-14-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3520-13-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/4540-2-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/4540-38-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/4540-0-0x000001B398F20000-0x000001B398F27000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads