dridex | 9f9e5e220ffdbfad25a863d7e9f99f345eecee23e695b6525a79337eb839c590

General

Target

9f9e5e220ffdbfad25a863d7e9f99f345eecee23e695b6525a79337eb839c590.dll
Size

904KB
MD5

54d31559f9dbc295e20cf99dee50ac94
SHA1

81986b520be480a568f9683d8b93d06433cbb53c
SHA256

9f9e5e220ffdbfad25a863d7e9f99f345eecee23e695b6525a79337eb839c590
SHA512

1792ab82fee29d482c5f229096a477cfdeeb1b670f21b9542d91ad4bb4048e976ef9f0c73195675b4925fc2f7e2b8b9d3fb0fd3b8ae4162ad7a0ff043043d440
SSDEEP

12288:+qJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:+qGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3436-3-0x0000000002720000-0x0000000002721000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2896-1-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/3436-24-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/3436-35-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/2896-38-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral2/memory/664-47-0x0000025287EA0000-0x0000025287F83000-memory.dmp	dridex_payload
behavioral2/memory/664-51-0x0000025287EA0000-0x0000025287F83000-memory.dmp	dridex_payload
behavioral2/memory/3344-63-0x0000000140000000-0x0000000140128000-memory.dmp	dridex_payload
behavioral2/memory/3344-67-0x0000000140000000-0x0000000140128000-memory.dmp	dridex_payload
behavioral2/memory/4504-78-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral2/memory/4504-82-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

ie4uinit.exesystemreset.exeDisplaySwitch.exe

pid process

664 ie4uinit.exe
3344 systemreset.exe
4504 DisplaySwitch.exe
Loads dropped DLL 4 IoCs

Processes:

ie4uinit.exesystemreset.exeDisplaySwitch.exe

pid process

664 ie4uinit.exe
664 ie4uinit.exe
3344 systemreset.exe
4504 DisplaySwitch.exe

pid	process
664	ie4uinit.exe
3344	systemreset.exe
4504	DisplaySwitch.exe

pid	process
664	ie4uinit.exe
664	ie4uinit.exe
3344	systemreset.exe
4504	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\8H4wFt\\systemreset.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ie4uinit.exesystemreset.exeDisplaySwitch.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008
Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2896	rundll32.exe
2896	rundll32.exe
2896	rundll32.exe
2896	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3436
3436

pid	process
3436
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3436 wrote to memory of 4632	3436	ie4uinit.exe
PID 3436 wrote to memory of 4632	3436	ie4uinit.exe
PID 3436 wrote to memory of 664	3436	ie4uinit.exe
PID 3436 wrote to memory of 664	3436	ie4uinit.exe
PID 3436 wrote to memory of 4772	3436	systemreset.exe
PID 3436 wrote to memory of 4772	3436	systemreset.exe
PID 3436 wrote to memory of 3344	3436	systemreset.exe
PID 3436 wrote to memory of 3344	3436	systemreset.exe
PID 3436 wrote to memory of 668	3436	DisplaySwitch.exe
PID 3436 wrote to memory of 668	3436	DisplaySwitch.exe
PID 3436 wrote to memory of 4504	3436	DisplaySwitch.exe
PID 3436 wrote to memory of 4504	3436	DisplaySwitch.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f9e5e220ffdbfad25a863d7e9f99f345eecee23e695b6525a79337eb839c590.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:4632

C:\Users\Admin\AppData\Local\UD02hrT\ie4uinit.exe
C:\Users\Admin\AppData\Local\UD02hrT\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:664

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:4772

C:\Users\Admin\AppData\Local\utdRJg\systemreset.exe
C:\Users\Admin\AppData\Local\utdRJg\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3344

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:668

C:\Users\Admin\AppData\Local\tSbAUWDq\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\tSbAUWDq\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\UD02hrT\VERSION.dll

Filesize
908KB

MD5
38a74dce40d2ded5a38e976c93663da2

SHA1
a82b5bb040ec4b5ee637f40234fea2092a222ebd

SHA256
4f3768f28e63cafea85bd9e9be7cc41fc62d778199b3de65a15bd08a4c506a5f

SHA512
e459913ac9ee2ffbf4466a8ca54eef77fd42d71812640431b0a18c2021e80398ed876911734fa9834f6864188d55b516b0c234cc21e5fc1d6f4beefecfcd0667

Download Submit
C:\Users\Admin\AppData\Local\UD02hrT\ie4uinit.exe

Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Local\tSbAUWDq\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\tSbAUWDq\UxTheme.dll

Filesize
908KB

MD5
d81ddf153a93068c93e6d4003e589e38

SHA1
67d1579bb5dadb687edc57b3643b954934bcf2fb

SHA256
9088e56b320aebd2bb1b78b2354e8314063bcdd2e851f688ad183e76280534fd

SHA512
d18e6a8cf19825b6681b673d407205cc4dddfffb85c4d7b49250b7ed57e45953f50196921fad72c4a98fadc81615bdb592ce21a29043e6f18ac1f72cb138681a

Download Submit
C:\Users\Admin\AppData\Local\utdRJg\DUI70.dll

Filesize
1.2MB

MD5
013ebe5755abf40a89b1cfb52e469cf7

SHA1
959abda4926797b26d3df27838b9364ed0d72b01

SHA256
37045b4f11dd910ba6f06dc4f6942e8fc88d3f1932f48c41427a09df2042fdf8

SHA512
460a9dec62dd7e7f09b9481a62393d043912a1c7db327d4e3266eb22e93d47ced61c6314f87799e41c7c626d31a0ec72429c4fa7e15c67e4439fcdf65c3fd4e2

Download Submit
C:\Users\Admin\AppData\Local\utdRJg\systemreset.exe

Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk

Filesize
1KB

MD5
f7eb06d5a587bb7298ef0dda58febb02

SHA1
b7c23515c98a294063d87ff21adcf11dccf675ec

SHA256
9a8bf4d1c2eccacbf7b32f4f649ab1d32b60a8567402bc4f5576db75ddca3420

SHA512
f8a6039e4058dfac6dea4a03e804d67285fa8b7a661ddd66d5903e292d976f67a24c904bcc3d1e6fdc0aa1693e43da96e9004290a1cf0acc998c162150a93609

Download Submit
memory/664-47-0x0000025287EA0000-0x0000025287F83000-memory.dmp

Filesize
908KB

Download
memory/664-51-0x0000025287EA0000-0x0000025287F83000-memory.dmp

Filesize
908KB

Download
memory/664-46-0x0000025289810000-0x0000025289817000-memory.dmp

Filesize
28KB

Download
memory/2896-1-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2896-38-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2896-2-0x000001EBD8A70000-0x000001EBD8A77000-memory.dmp

Filesize
28KB

Download
memory/3344-63-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download
memory/3344-62-0x0000019FA7D50000-0x0000019FA7D57000-memory.dmp

Filesize
28KB

Download
memory/3344-67-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download
memory/3436-14-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-25-0x00007FFC9E1E0000-0x00007FFC9E1F0000-memory.dmp

Filesize
64KB

Download
memory/3436-35-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-7-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-8-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-9-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-10-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-12-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-24-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-6-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-26-0x00007FFC9E1D0000-0x00007FFC9E1E0000-memory.dmp

Filesize
64KB

Download
memory/3436-23-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/3436-15-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-13-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-11-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3436-3-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/3436-5-0x00007FFC9D4DA000-0x00007FFC9D4DB000-memory.dmp

Filesize
4KB

Download
memory/4504-82-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/4504-78-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads