dridex | a92fd3d497c33998e89add2b0ad92845790a39a07380299eaa7eff993d60b371

General

Target

a92fd3d497c33998e89add2b0ad92845790a39a07380299eaa7eff993d60b371.dll
Size

1.1MB
MD5

220299c4d18b28c5c9adce9e905d9b77
SHA1

70b93b7c82770bc3a4fd2eb66edaf1b3d3443acb
SHA256

a92fd3d497c33998e89add2b0ad92845790a39a07380299eaa7eff993d60b371
SHA512

f3dd0898c251b7ff3505de8bba714a6f68983c813e42d774eca0e6e8220be9263353faac311fb2d2f19442be394ec867c86c664832dcea513f0dc6ba5eb58bef
SSDEEP

12288:ckMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:ckMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3420-3-0x0000000002890000-0x0000000002891000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1724-2-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3420-23-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3420-34-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/1724-37-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3456-44-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3456-49-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3356-61-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3356-65-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/584-76-0x0000000140000000-0x0000000140162000-memory.dmp	dridex_payload
behavioral2/memory/584-80-0x0000000140000000-0x0000000140162000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

sppsvc.exerdpinit.exewlrmdr.exe

pid process

3456 sppsvc.exe
3356 rdpinit.exe
584 wlrmdr.exe
Loads dropped DLL 3 IoCs

Processes:

sppsvc.exerdpinit.exewlrmdr.exe

pid process

3456 sppsvc.exe
3356 rdpinit.exe
584 wlrmdr.exe

pid	process
3456	sppsvc.exe
3356	rdpinit.exe
584	wlrmdr.exe

pid	process
3456	sppsvc.exe
3356	rdpinit.exe
584	wlrmdr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\WORDDO~1\\1033\\jSTsHSm\\rdpinit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wlrmdr.exerundll32.exesppsvc.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3420

pid	process
3420

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	target process
PID 3420 wrote to memory of 3456	3420	sppsvc.exe
PID 3420 wrote to memory of 3456	3420	sppsvc.exe
PID 3420 wrote to memory of 2684	3420	rdpinit.exe
PID 3420 wrote to memory of 2684	3420	rdpinit.exe
PID 3420 wrote to memory of 3356	3420	rdpinit.exe
PID 3420 wrote to memory of 3356	3420	rdpinit.exe
PID 3420 wrote to memory of 424	3420	wlrmdr.exe
PID 3420 wrote to memory of 424	3420	wlrmdr.exe
PID 3420 wrote to memory of 584	3420	wlrmdr.exe
PID 3420 wrote to memory of 584	3420	wlrmdr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a92fd3d497c33998e89add2b0ad92845790a39a07380299eaa7eff993d60b371.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2220

C:\Users\Admin\AppData\Local\vT49RHD\sppsvc.exe
C:\Users\Admin\AppData\Local\vT49RHD\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3456

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2684

C:\Users\Admin\AppData\Local\PI9kLz\rdpinit.exe
C:\Users\Admin\AppData\Local\PI9kLz\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3356

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:424

C:\Users\Admin\AppData\Local\vYQGtX\wlrmdr.exe
C:\Users\Admin\AppData\Local\vYQGtX\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PI9kLz\WINSTA.dll

Filesize
1.1MB

MD5
a92c62c05c980012d6879f94d540a76e

SHA1
ae03d9d27ef36d69771ec94e22fe663cb755ec1e

SHA256
b3e30a10e34bc225618181fdd92b4b21be8a0b23e155dd59b2309c52ef7ab89b

SHA512
f9a410788ff562f3d329a25da14a97dc2510f18e52ba948f1b64e4f6323cdea18730c8aad00c7c5d4575cfc0e665b3aabb41004d12cb2195d7cf565f2e21e099

Download Submit
C:\Users\Admin\AppData\Local\PI9kLz\rdpinit.exe

Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\vT49RHD\XmlLite.dll

Filesize
1.1MB

MD5
5a3ae9071b6837309056a013aa3fedca

SHA1
67a48ea7435714b44eb81fb80bdef6867d84cbf7

SHA256
860c40634d06860ddbb4990719d9732e8f38386810a42c0f0f004e624540a9c4

SHA512
15b57f4b2d5352353bf3edd328e906df39415faa026e53a8702055fa66f8b9ae4bcd96062cddeff4251fa0d85e94a64dbcd3373fc5fe578eda8e10d575e09c19

Download Submit
C:\Users\Admin\AppData\Local\vT49RHD\sppsvc.exe

Filesize
4.4MB

MD5
ec6cef0a81f167668e18fa32f1606fce

SHA1
6d56837a388ae5573a38a439cee16e6dde5b4de8

SHA256
82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

SHA512
f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

Download Submit
C:\Users\Admin\AppData\Local\vYQGtX\DUI70.dll

Filesize
1.4MB

MD5
6e7fd919074be8fd21906f45ec60de76

SHA1
1f9846826e5bb9593685c42a6d35de40f06de850

SHA256
82b11383436ec0282c8fc6b9d8ed0b9e220e00bd41183460359e8d4ccdbacae8

SHA512
ca0ba562c8703419dd71f64f93a409beed774b8effce48b57f0ec9d107c6d3c594e8584a258df203cbe03e9013937e2a3de1f29d006d53d64b08a44c8abac198

Download Submit
C:\Users\Admin\AppData\Local\vYQGtX\wlrmdr.exe

Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

Filesize
1KB

MD5
ef16f25effb5d970ad1522cc591927d4

SHA1
31a8159566e330f3c2007471230ab9bac1efd13e

SHA256
699c4df714b56aa23dc1651dfbfee4e5062db5756540d296599b3c7a7627f6c6

SHA512
5c32bf0b30892aca9b29c86cfb03b81261987d99b333f1fc99e9844f7d1ad31f755a69f8e84973a68eb6e27d54626a168b4db5e7235b283fe1c9dce9c691cf06

Download Submit
memory/584-80-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/584-76-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1724-0-0x0000028C29BC0000-0x0000028C29BC7000-memory.dmp

Filesize
28KB

Download
memory/1724-37-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1724-2-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3356-60-0x00000158B9BA0000-0x00000158B9BA7000-memory.dmp

Filesize
28KB

Download
memory/3356-61-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3356-65-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3420-25-0x00007FFE76370000-0x00007FFE76380000-memory.dmp

Filesize
64KB

Download
memory/3420-11-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-6-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-7-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-8-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-10-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-5-0x00007FFE7518A000-0x00007FFE7518B000-memory.dmp

Filesize
4KB

Download
memory/3420-3-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3420-9-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-14-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-34-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-23-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-24-0x00007FFE76380000-0x00007FFE76390000-memory.dmp

Filesize
64KB

Download
memory/3420-12-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-22-0x0000000000CE0000-0x0000000000CE7000-memory.dmp

Filesize
28KB

Download
memory/3420-13-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3456-49-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3456-46-0x0000018FD9170000-0x0000018FD9177000-memory.dmp

Filesize
28KB

Download
memory/3456-44-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads