dridex | 642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9

General

Target

642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9.dll
Size

900KB
MD5

42b74b886c2d75ff9bf4636e558d7ee2
SHA1

096a9d095b93fd378afdc04e04f0d82d23320b3d
SHA256

642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9
SHA512

688ad13892a5e66726574759fd21579887e2452b54397682a81643735ef050dd4fc4a8d152183802ad7f15f80eb2cdf889aa67a1b9050dcfd813cad00b363c78
SSDEEP

12288:CqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed1aaw6:CqGBHTxvt+g2gYed1

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-4-0x00000000025F0000-0x00000000025F1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2516-1-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral1/memory/1216-23-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral1/memory/1216-34-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral1/memory/1216-35-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral1/memory/2516-43-0x0000000140000000-0x00000001400E1000-memory.dmp	dridex_payload
behavioral1/memory/2916-53-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral1/memory/2916-57-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral1/memory/3044-74-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral1/memory/584-86-0x0000000140000000-0x0000000140115000-memory.dmp	dridex_payload
behavioral1/memory/584-90-0x0000000140000000-0x0000000140115000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

psr.exeSystemPropertiesPerformance.exeUtilman.exe

pid process

2916 psr.exe
3044 SystemPropertiesPerformance.exe
584 Utilman.exe
Loads dropped DLL 7 IoCs

Processes:

psr.exeSystemPropertiesPerformance.exeUtilman.exe

pid process

1216
2916 psr.exe
1216
3044 SystemPropertiesPerformance.exe
1216
584 Utilman.exe
1216

pid	process
2916	psr.exe
3044	SystemPropertiesPerformance.exe
584	Utilman.exe

pid	process
1216
2916	psr.exe
1216
3044	SystemPropertiesPerformance.exe
1216
584	Utilman.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtunysabu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\iQC9m\\SystemPropertiesPerformance.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exepsr.exeSystemPropertiesPerformance.exeUtilman.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 2892	1216	psr.exe
PID 1216 wrote to memory of 2892	1216	psr.exe
PID 1216 wrote to memory of 2892	1216	psr.exe
PID 1216 wrote to memory of 2916	1216	psr.exe
PID 1216 wrote to memory of 2916	1216	psr.exe
PID 1216 wrote to memory of 2916	1216	psr.exe
PID 1216 wrote to memory of 2332	1216	SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 2332	1216	SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 2332	1216	SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 3044	1216	SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 3044	1216	SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 3044	1216	SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 1740	1216	Utilman.exe
PID 1216 wrote to memory of 1740	1216	Utilman.exe
PID 1216 wrote to memory of 1740	1216	Utilman.exe
PID 1216 wrote to memory of 584	1216	Utilman.exe
PID 1216 wrote to memory of 584	1216	Utilman.exe
PID 1216 wrote to memory of 584	1216	Utilman.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2892

C:\Users\Admin\AppData\Local\Ap4gkf\psr.exe
C:\Users\Admin\AppData\Local\Ap4gkf\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2916

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2332

C:\Users\Admin\AppData\Local\egmWm2cV\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\egmWm2cV\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3044

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:1740

C:\Users\Admin\AppData\Local\ebf\Utilman.exe
C:\Users\Admin\AppData\Local\ebf\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ap4gkf\OLEACC.dll

Filesize
904KB

MD5
f20a6166eef6b6217ba5146269b2e62a

SHA1
a363c5bfe1fab345f361a415e37a2a0e1413612f

SHA256
4c1d9105301f8f15e97467a72e6ad63d30380cdeb18f62bb4f8cd2986c563591

SHA512
784ae42318f6c5bb5e43756b242cd52c5403d0fbf046c735b4b431fc5689bfb63ece232ad489f6dbe388ab6109b5227646998c9809a22eca1f22842a8d587a15

Download Submit
C:\Users\Admin\AppData\Local\ebf\DUI70.dll

Filesize
1.1MB

MD5
d9a871440e7f65a47b2f4f4007cfe6d2

SHA1
0bef5434f2763147a45acdb976e8eba2be60825c

SHA256
736d53f14b97ad354e045a955e1c5b5337dfa1a4556a5ba517675838e78f772c

SHA512
9dd774db766665e32bac51240d51fd2b85a5b561d4ab6e0feeebd3e56bcaf6f489f5e5844c34b729e9ce36bfa86c090cc0596dfdba1c19a52976812a65c57544

Download Submit
C:\Users\Admin\AppData\Local\ebf\Utilman.exe

Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
C:\Users\Admin\AppData\Local\egmWm2cV\SYSDM.CPL

Filesize
904KB

MD5
ebe60483acfe41bdf3176d0b8c518e8b

SHA1
a91b61c08e3dfc2a543d2401ac94f739034a755a

SHA256
36ec9d6df0f3d326268ddeaf81d0690f5fb771d87061be09faf283e166b372ab

SHA512
7957ac648c60f860ec1839c6b292486e7cfca13b4a785a562f638edd6ba5d81f2af3fe84c596a6f510ff2ac1a32e9a721bdde86f673fd8e814620289bfe8ad3b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk

Filesize
735B

MD5
489eace4903f10581ecec54760993bb8

SHA1
794897a8591aa00f79922f7f231c83aa29680544

SHA256
55f4d7c9f70a6f5518201d1e3564a242e7b1ab59592011a2fe4d43975c003970

SHA512
b70a19c6a1c82bc156b0bfc4d24c43041011b643d10b4b617c1a47cbbde1442f2017aaeb3066fdf0587b2991c01a1387629cc1fbf6413664c342f7ead821472c

Download Submit
\Users\Admin\AppData\Local\Ap4gkf\psr.exe

Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\egmWm2cV\SystemPropertiesPerformance.exe

Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
memory/584-90-0x0000000140000000-0x0000000140115000-memory.dmp

Filesize
1.1MB

Download
memory/584-86-0x0000000140000000-0x0000000140115000-memory.dmp

Filesize
1.1MB

Download
memory/1216-24-0x0000000076F10000-0x0000000076F12000-memory.dmp

Filesize
8KB

Download
memory/1216-35-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-9-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-8-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-7-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-11-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-25-0x0000000076F40000-0x0000000076F42000-memory.dmp

Filesize
8KB

Download
memory/1216-10-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-34-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-14-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-3-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

Filesize
4KB

Download
memory/1216-44-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

Filesize
4KB

Download
memory/1216-12-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-23-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-4-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1216-6-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1216-22-0x00000000025D0000-0x00000000025D7000-memory.dmp

Filesize
28KB

Download
memory/1216-13-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2516-2-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/2516-43-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2516-1-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2916-57-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2916-53-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2916-52-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/3044-69-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/3044-74-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads