dridex | 4af88f0bf58a337253e7ef9a79dc197102c9e3b2f156b0d5a54998d514ee3eeb

General

Target

4af88f0bf58a337253e7ef9a79dc197102c9e3b2f156b0d5a54998d514ee3eeb.dll
Size

700KB
MD5

6bd456cfeba026cd573f86e5531ea384
SHA1

66a88b459322450c073b8c4626f9967e951775c5
SHA256

4af88f0bf58a337253e7ef9a79dc197102c9e3b2f156b0d5a54998d514ee3eeb
SHA512

a35d4de20a6d51f668e08509255b7ba6ae8085170118c23f65202eb22d7687ae1474a29227f57410e146ca3ab27397d86329acfb08c48806308665f561943f3a
SSDEEP

12288:pqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:pqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3428-3-0x0000000002D90000-0x0000000002D91000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1376-1-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3428-24-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3428-35-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/1376-38-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/4088-45-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/4088-50-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/3368-66-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/4004-77-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral2/memory/4004-81-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

lpksetup.exeSystemPropertiesComputerName.exeLicensingUI.exe

pid process

4088 lpksetup.exe
3368 SystemPropertiesComputerName.exe
4004 LicensingUI.exe
Loads dropped DLL 3 IoCs

Processes:

lpksetup.exeSystemPropertiesComputerName.exeLicensingUI.exe

pid process

4088 lpksetup.exe
3368 SystemPropertiesComputerName.exe
4004 LicensingUI.exe

pid	process
4088	lpksetup.exe
3368	SystemPropertiesComputerName.exe
4004	LicensingUI.exe

pid	process
4088	lpksetup.exe
3368	SystemPropertiesComputerName.exe
4004	LicensingUI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qiqbxsgjw = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\rF22mu\\SystemPropertiesComputerName.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesComputerName.exeLicensingUI.exerundll32.exelpksetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3428

pid	process
3428

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3428 wrote to memory of 2956	3428	lpksetup.exe
PID 3428 wrote to memory of 2956	3428	lpksetup.exe
PID 3428 wrote to memory of 4088	3428	lpksetup.exe
PID 3428 wrote to memory of 4088	3428	lpksetup.exe
PID 3428 wrote to memory of 2276	3428	SystemPropertiesComputerName.exe
PID 3428 wrote to memory of 2276	3428	SystemPropertiesComputerName.exe
PID 3428 wrote to memory of 3368	3428	SystemPropertiesComputerName.exe
PID 3428 wrote to memory of 3368	3428	SystemPropertiesComputerName.exe
PID 3428 wrote to memory of 4336	3428	LicensingUI.exe
PID 3428 wrote to memory of 4336	3428	LicensingUI.exe
PID 3428 wrote to memory of 4004	3428	LicensingUI.exe
PID 3428 wrote to memory of 4004	3428	LicensingUI.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4af88f0bf58a337253e7ef9a79dc197102c9e3b2f156b0d5a54998d514ee3eeb.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:2956

C:\Users\Admin\AppData\Local\wrt4TjW1W\lpksetup.exe
C:\Users\Admin\AppData\Local\wrt4TjW1W\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4088

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2276

C:\Users\Admin\AppData\Local\G835xRoO\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\G835xRoO\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3368

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:4336

C:\Users\Admin\AppData\Local\BAupr\LicensingUI.exe
C:\Users\Admin\AppData\Local\BAupr\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BAupr\DUI70.dll

Filesize
980KB

MD5
d92ee8c1b0655bb37260ff013fbabb2b

SHA1
14f395107fa3e6bf1be2eec62646d1ec77db7168

SHA256
bae46199518b9a707fda004b5fe7a0c99b2a42d64c4dcb92bdeacdce401eba5b

SHA512
c0101676ff1c615fd05ca4d606dfd8ab7bc2ec2f8ee6c7dd0b4ab7e21bdf02d105a2c7f9afdb21d9ee3ae68deb8baaa61206bae9555f2298d7d58cd2f7fe3d02

Download Submit
C:\Users\Admin\AppData\Local\BAupr\LicensingUI.exe

Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Local\G835xRoO\SYSDM.CPL

Filesize
704KB

MD5
9d647617ed25a9e5e3b501e848991867

SHA1
9b481aab6317433c7625dd68149c1ead802ff141

SHA256
a23a81a12d663f9cba69cc853637232a280f86928016058e269e0a4339b00f84

SHA512
d50db4f2411f8c49096cc40132e70432a3be80cffd99badf8ec08d813bd78f85223e94b8d341ab74dba19b512104ba11cea587928525bed4f4600ab2f162402b

Download Submit
C:\Users\Admin\AppData\Local\G835xRoO\SystemPropertiesComputerName.exe

Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Local\wrt4TjW1W\dpx.dll

Filesize
704KB

MD5
686722e71e247532c193fac076243e4f

SHA1
88e1ccb3f822916058b6b43e64d866ca85cc8024

SHA256
98385ae9aaa300bb9a2910dc8bcd64418dbd525e7cd6f6373584b38b248a4d41

SHA512
dc11189269d7058a10d1bce94b19c93c34ccf673ff11c8cb96da8f045c52ee6ad82de9be706b1615024b2cd12085b90d2f8753663ea9892bfcc3add0871ee177

Download Submit
C:\Users\Admin\AppData\Local\wrt4TjW1W\lpksetup.exe

Filesize
728KB

MD5
c75516a32e0aea02a184074d55d1a997

SHA1
f9396946c078f8b0f28e3a6e21a97eeece31d13f

SHA256
cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

SHA512
92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk

Filesize
1KB

MD5
881cd1301cb2ac921e591a24d0bc94cc

SHA1
3b4aa277c074a3a73f7e235f5d3e77a6f55c5438

SHA256
de6c6ef159344a4349f472e2413bf04e0fdc8fe2c1c78129abebe0cf8dce4ef1

SHA512
afc125bfef75e31670e605688ef6699a57c5696dd47d768f4b10d4aed1ebf54343ab69310f725397ead51dc83d1bd109992195263c8292ae63f2edfd967feddc

Download Submit
memory/1376-0-0x0000029150200000-0x0000029150207000-memory.dmp

Filesize
28KB

Download
memory/1376-1-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1376-38-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3368-66-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3368-63-0x000001E243640000-0x000001E243647000-memory.dmp

Filesize
28KB

Download
memory/3428-8-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-14-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-10-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-9-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-11-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-7-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-6-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-24-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-25-0x00007FFA91E00000-0x00007FFA91E10000-memory.dmp

Filesize
64KB

Download
memory/3428-26-0x00007FFA91DF0000-0x00007FFA91E00000-memory.dmp

Filesize
64KB

Download
memory/3428-3-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/3428-5-0x00007FFA918EA000-0x00007FFA918EB000-memory.dmp

Filesize
4KB

Download
memory/3428-12-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-13-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-15-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3428-23-0x0000000000D00000-0x0000000000D07000-memory.dmp

Filesize
28KB

Download
memory/3428-35-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/4004-77-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/4004-81-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/4088-50-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/4088-45-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/4088-47-0x000002293F520000-0x000002293F527000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads