dridex | e0bb41f16dbcd4feeadcb96519eee1d82877b76b83776bd7776a648021644fce

General

Target

e0bb41f16dbcd4feeadcb96519eee1d82877b76b83776bd7776a648021644fce.dll
Size

700KB
MD5

45424a5476cd3741110250714626b4e4
SHA1

6cd678d66094c596200c3e6cbdbac1147077961a
SHA256

e0bb41f16dbcd4feeadcb96519eee1d82877b76b83776bd7776a648021644fce
SHA512

cf6152d4a2094a951d16f9583ad2080027264b21556bd38b4d381c88e17575e8d6e44417ac710cdab801913240753b6fd6064724220772ae928a79bac3937789
SSDEEP

12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1284-4-0x0000000002060000-0x0000000002061000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2420-0-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1284-24-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1284-36-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1284-37-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2420-44-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2708-53-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/2708-58-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/448-75-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1656-91-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

dccw.exevmicsvc.exespreview.exe

pid process

2708 dccw.exe
448 vmicsvc.exe
1656 spreview.exe
Loads dropped DLL 7 IoCs

Processes:

dccw.exevmicsvc.exespreview.exe

pid process

1284
2708 dccw.exe
1284
448 vmicsvc.exe
1284
1656 spreview.exe
1284

pid	process
2708	dccw.exe
448	vmicsvc.exe
1656	spreview.exe

pid	process
1284
2708	dccw.exe
1284
448	vmicsvc.exe
1284
1656	spreview.exe
1284

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\1xWbUhko2\\vmicsvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedccw.exevmicsvc.exespreview.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exedccw.exe

pid	process
2420	rundll32.exe
2420	rundll32.exe
2420	rundll32.exe
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
2708	dccw.exe
2708	dccw.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1284 wrote to memory of 2824	1284	dccw.exe
PID 1284 wrote to memory of 2824	1284	dccw.exe
PID 1284 wrote to memory of 2824	1284	dccw.exe
PID 1284 wrote to memory of 2708	1284	dccw.exe
PID 1284 wrote to memory of 2708	1284	dccw.exe
PID 1284 wrote to memory of 2708	1284	dccw.exe
PID 1284 wrote to memory of 3060	1284	vmicsvc.exe
PID 1284 wrote to memory of 3060	1284	vmicsvc.exe
PID 1284 wrote to memory of 3060	1284	vmicsvc.exe
PID 1284 wrote to memory of 448	1284	vmicsvc.exe
PID 1284 wrote to memory of 448	1284	vmicsvc.exe
PID 1284 wrote to memory of 448	1284	vmicsvc.exe
PID 1284 wrote to memory of 2424	1284	spreview.exe
PID 1284 wrote to memory of 2424	1284	spreview.exe
PID 1284 wrote to memory of 2424	1284	spreview.exe
PID 1284 wrote to memory of 1656	1284	spreview.exe
PID 1284 wrote to memory of 1656	1284	spreview.exe
PID 1284 wrote to memory of 1656	1284	spreview.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0bb41f16dbcd4feeadcb96519eee1d82877b76b83776bd7776a648021644fce.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2824

C:\Users\Admin\AppData\Local\1PYFaESwh\dccw.exe
C:\Users\Admin\AppData\Local\1PYFaESwh\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:3060

C:\Users\Admin\AppData\Local\L6IqGG\vmicsvc.exe
C:\Users\Admin\AppData\Local\L6IqGG\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:448

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:2424

C:\Users\Admin\AppData\Local\8cGKml\spreview.exe
C:\Users\Admin\AppData\Local\8cGKml\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8cGKml\spreview.exe

Filesize
294KB

MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
C:\Users\Admin\AppData\Local\8cGKml\sqmapi.dll

Filesize
704KB

MD5
6f765dbf9763dcfd0f6e6fc7b733ba8a

SHA1
600a0106c40abd10aa89f135b8f7b29cedaf60f4

SHA256
dc1d4657f5d16f17ef7c52558bac9a4d1b5f64403896ee1b5c48c4d703602ff5

SHA512
894c67a1e2c3fcbd12670fa78230b1119eb621580a98fca89fad1597fbddb7fd032b58c01c9f654fecc688dedcb2bbed7d1ab27bfa037f4649db9ff107c9b929

Download Submit
C:\Users\Admin\AppData\Local\L6IqGG\ACTIVEDS.dll

Filesize
704KB

MD5
5a8a9950b69985dce56bfddfcdc2501e

SHA1
162c633145c4df5200fef184393a81e86b91fd4d

SHA256
47a88d207c9fca92eb6dfc4a2be71c85f4214de54f280ce55e63542c9ecd0af9

SHA512
0c01a6c2d218cac9b3072c4f65d014bde1db83e3436b629b1fcd91b4677ac98fe8f82da8aa1b97e60116eeb685abe104fe1bbc339fb9f4834b213e10c8aafbf8

Download Submit
C:\Users\Admin\AppData\Local\L6IqGG\vmicsvc.exe

Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
916B

MD5
426e4d3548d1b0567b38afc4eaf58fb3

SHA1
cbcdc2da90b05b589fcaf20ffeec3bdd17e9a2a1

SHA256
1e139d863f2bd8831abfee3e8d007402eaa06f8b8717d4fb97d0bace7dcecc06

SHA512
d39a40cf714f006a1ea5eb7738c31d49715a15f600dcd15078c776d2115befb468636e7783f2015e416bf2fabfe785444774a1fa43dcc556c586a6a2c694e245

Download Submit
\Users\Admin\AppData\Local\1PYFaESwh\dccw.exe

Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\1PYFaESwh\mscms.dll

Filesize
704KB

MD5
eff6b4d720b2ac70089ee77ed28249c2

SHA1
0bbc5756dec4ca529ea8aa21585eb50db791c373

SHA256
fa2ab1d76af63e22339ef9fd6fc05f4803fd0e17d6648e62e4f4f17777966632

SHA512
17798b7b8f7781b5eda2da77cd1581f3ac26116ce268c8c376b0723ac97384bc86904ee8f221243d9ea5ac5fd59035f4e2bae2e65e1ebc089c1c777112a31455

Download Submit
memory/448-75-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/448-72-0x0000000001F10000-0x0000000001F17000-memory.dmp

Filesize
28KB

Download
memory/1284-26-0x00000000770C0000-0x00000000770C2000-memory.dmp

Filesize
8KB

Download
memory/1284-7-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-23-0x0000000002040000-0x0000000002047000-memory.dmp

Filesize
28KB

Download
memory/1284-13-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-12-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-11-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-24-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-3-0x0000000076D26000-0x0000000076D27000-memory.dmp

Filesize
4KB

Download
memory/1284-25-0x0000000077090000-0x0000000077092000-memory.dmp

Filesize
8KB

Download
memory/1284-36-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-37-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-4-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1284-45-0x0000000076D26000-0x0000000076D27000-memory.dmp

Filesize
4KB

Download
memory/1284-15-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-10-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-9-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-8-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-14-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1284-6-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1656-91-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2420-44-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2420-2-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/2420-0-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2708-58-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2708-55-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/2708-53-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads