dridex | bf4a030404a33a8c559e6247a6a7dde969beac784237a4bc09ee9782a6b13eb6

General

Target

bf4a030404a33a8c559e6247a6a7dde969beac784237a4bc09ee9782a6b13eb6.dll
Size

700KB
MD5

22bb81fe492c73919a75ae4152bd6da9
SHA1

93ea623df22f23cfba08fce532ae04b037f6f93f
SHA256

bf4a030404a33a8c559e6247a6a7dde969beac784237a4bc09ee9782a6b13eb6
SHA512

60cad20be3e4548eab668e1c1c280d9588241638f320e2d9f36587ea89754c47e47ac4ca692182b7707d326ee6c88229b350f39ef11cf1e9c2b1b2fbf2cc704c
SSDEEP

12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-4-0x0000000002E50000-0x0000000002E51000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2532-1-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1184-24-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1184-35-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1184-36-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2532-44-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2124-53-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/2124-57-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/2648-69-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/2648-74-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/2364-90-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

winlogon.execttune.exeEhStorAuthn.exe

pid process

2124 winlogon.exe
2648 cttune.exe
2364 EhStorAuthn.exe
Loads dropped DLL 7 IoCs

Processes:

winlogon.execttune.exeEhStorAuthn.exe

pid process

1184
2124 winlogon.exe
1184
2648 cttune.exe
1184
2364 EhStorAuthn.exe
1184

pid	process
2124	winlogon.exe
2648	cttune.exe
2364	EhStorAuthn.exe

pid	process
1184
2124	winlogon.exe
1184
2648	cttune.exe
1184
2364	EhStorAuthn.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\BUiv9VKS\\cttune.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewinlogon.execttune.exeEhStorAuthn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2532	rundll32.exe
2532	rundll32.exe
2532	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1184 wrote to memory of 2716	1184	winlogon.exe
PID 1184 wrote to memory of 2716	1184	winlogon.exe
PID 1184 wrote to memory of 2716	1184	winlogon.exe
PID 1184 wrote to memory of 2124	1184	winlogon.exe
PID 1184 wrote to memory of 2124	1184	winlogon.exe
PID 1184 wrote to memory of 2124	1184	winlogon.exe
PID 1184 wrote to memory of 2208	1184	cttune.exe
PID 1184 wrote to memory of 2208	1184	cttune.exe
PID 1184 wrote to memory of 2208	1184	cttune.exe
PID 1184 wrote to memory of 2648	1184	cttune.exe
PID 1184 wrote to memory of 2648	1184	cttune.exe
PID 1184 wrote to memory of 2648	1184	cttune.exe
PID 1184 wrote to memory of 1212	1184	EhStorAuthn.exe
PID 1184 wrote to memory of 1212	1184	EhStorAuthn.exe
PID 1184 wrote to memory of 1212	1184	EhStorAuthn.exe
PID 1184 wrote to memory of 2364	1184	EhStorAuthn.exe
PID 1184 wrote to memory of 2364	1184	EhStorAuthn.exe
PID 1184 wrote to memory of 2364	1184	EhStorAuthn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf4a030404a33a8c559e6247a6a7dde969beac784237a4bc09ee9782a6b13eb6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2716

C:\Users\Admin\AppData\Local\FsGou\winlogon.exe
C:\Users\Admin\AppData\Local\FsGou\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2124

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2208

C:\Users\Admin\AppData\Local\EuU1q\cttune.exe
C:\Users\Admin\AppData\Local\EuU1q\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2648

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1212

C:\Users\Admin\AppData\Local\sHD\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\sHD\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EuU1q\UxTheme.dll

Filesize
704KB

MD5
516757270e7e3e9adc90386ad3d31ddc

SHA1
1ee3c362c08bf06f8da489d6aba76d7de923071d

SHA256
2f4a776a33216a3a1b64040f77906d2ff06e36e04ca8e35c0efa90f5500aa985

SHA512
8af9260f9bd0602f313513ba9e30f5b23d2f689e27069188838369e899bc1df8899cc417d2de0746436b8cd0cac22eb5a59c43409a54af5858f4763d3add9935

Download Submit
C:\Users\Admin\AppData\Local\FsGou\WINSTA.dll

Filesize
708KB

MD5
0972b290fbfc9352d7e9eabeb3c8926a

SHA1
f0784ac6857596023b580318db8b2ed8e9874c14

SHA256
ed0a18d91a09b9fd5553a015ca49ab6e072ac5d8e63ecafc473fc1a7436f3b75

SHA512
b8cb79b6212e5dd1ea6abbe5b3401a62e6ce529919889c18d77f54ebf6eaad5f60ccad0a175ff1a07944db026a29f427d48d5f51a78c4d4e6699269d381793d8

Download Submit
C:\Users\Admin\AppData\Local\sHD\UxTheme.dll

Filesize
704KB

MD5
18472c3ec14145932ac5b14ca284a641

SHA1
5b4a895b4b1bf8b96cad1ee632eb388c992fc0ba

SHA256
1991cb2436ae4c131628ccaec120b09e9bcbc42092d07bf6dd84edb653749418

SHA512
f8096a8fd0f04752e5593b5efe21b7d980c2b431574b0f730c33b5c7bf822bbfb057cdae590374553c86dd770e7455760f0d42c59f63674c8fd7c1c6665b2e66

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
1KB

MD5
89c86859001de4fe2a87304ef1dfe041

SHA1
ae4872d5f7780413f5af2a00c98decec32ed39ca

SHA256
ac065d445dd74388474807a477da0810019427cfcd7870167bc503a122618048

SHA512
4d3a73900da904f2f0d39d33cdece21a8239282fc034c2468ac10e11d38e54f1dc86bd3a4d00c08eb8337aa81453bcfb8c493204309e63774e206316dc413f92

Download Submit
\Users\Admin\AppData\Local\EuU1q\cttune.exe

Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Local\FsGou\winlogon.exe

Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\sHD\EhStorAuthn.exe

Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
memory/1184-26-0x0000000077070000-0x0000000077072000-memory.dmp

Filesize
8KB

Download
memory/1184-10-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-13-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-12-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-11-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-9-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-8-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-7-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-24-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-3-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

Filesize
4KB

Download
memory/1184-25-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/1184-35-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-36-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-4-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1184-45-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

Filesize
4KB

Download
memory/1184-23-0x0000000002E30000-0x0000000002E37000-memory.dmp

Filesize
28KB

Download
memory/1184-15-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-6-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1184-14-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2124-57-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2124-53-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2364-90-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2532-44-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2532-0-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2532-1-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2648-71-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2648-69-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2648-74-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads