dridex | f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37

General

Target

f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37.dll
Size

700KB
MD5

01bd9d7bb1409146b8a1cd2065d17056
SHA1

042d82677a3cbc0de8776cab406c13edd561fa55
SHA256

f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37
SHA512

caf87440b65c8349b4974ebeac64f79e0a052c346827bc9813a906f264935276661ab5c37ce34e586b7c2b15825c7eec144188ae696698e3cef226896e84dda6
SSDEEP

12288:aqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:aqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-4-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/844-1-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1196-23-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1196-34-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1196-35-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/844-43-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2740-52-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/2740-57-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/2484-74-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/1256-86-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1256-90-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

mfpmp.execalc.exeDWWIN.EXE

pid process

2740 mfpmp.exe
2484 calc.exe
1256 DWWIN.EXE
Loads dropped DLL 7 IoCs

Processes:

mfpmp.execalc.exeDWWIN.EXE

pid process

1196
2740 mfpmp.exe
1196
2484 calc.exe
1196
1256 DWWIN.EXE
1196

pid	process
2740	mfpmp.exe
2484	calc.exe
1256	DWWIN.EXE

pid	process
1196
2740	mfpmp.exe
1196
2484	calc.exe
1196
1256	DWWIN.EXE
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\zDLSju3\\calc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DWWIN.EXErundll32.exemfpmp.execalc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exemfpmp.exe

pid	process
844	rundll32.exe
844	rundll32.exe
844	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
2740	mfpmp.exe
2740	mfpmp.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2784	1196	mfpmp.exe
PID 1196 wrote to memory of 2784	1196	mfpmp.exe
PID 1196 wrote to memory of 2784	1196	mfpmp.exe
PID 1196 wrote to memory of 2740	1196	mfpmp.exe
PID 1196 wrote to memory of 2740	1196	mfpmp.exe
PID 1196 wrote to memory of 2740	1196	mfpmp.exe
PID 1196 wrote to memory of 2972	1196	calc.exe
PID 1196 wrote to memory of 2972	1196	calc.exe
PID 1196 wrote to memory of 2972	1196	calc.exe
PID 1196 wrote to memory of 2484	1196	calc.exe
PID 1196 wrote to memory of 2484	1196	calc.exe
PID 1196 wrote to memory of 2484	1196	calc.exe
PID 1196 wrote to memory of 1156	1196	DWWIN.EXE
PID 1196 wrote to memory of 1156	1196	DWWIN.EXE
PID 1196 wrote to memory of 1156	1196	DWWIN.EXE
PID 1196 wrote to memory of 1256	1196	DWWIN.EXE
PID 1196 wrote to memory of 1256	1196	DWWIN.EXE
PID 1196 wrote to memory of 1256	1196	DWWIN.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:2784

C:\Users\Admin\AppData\Local\1zlZ\mfpmp.exe
C:\Users\Admin\AppData\Local\1zlZ\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2972

C:\Users\Admin\AppData\Local\ugJv7\calc.exe
C:\Users\Admin\AppData\Local\ugJv7\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2484

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:1156

C:\Users\Admin\AppData\Local\mj0SpjJt\DWWIN.EXE
C:\Users\Admin\AppData\Local\mj0SpjJt\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1zlZ\MFPlat.DLL

Filesize
708KB

MD5
d1fff4d90dae6fcdcc0d10f43fc3021d

SHA1
70132ac2c43dd4c96dae3a07324f0b5af0fe01d0

SHA256
512ffd2a16614ff401bc25bf008083ad0292fb27abd700bf90d1b3bd58e59bf1

SHA512
1c934ea3c548e1be061ca964c47a06785bc51b883d01e923831c9864479d982008fd5f14117a6cb8579a8e536376de8724300cd321821e584dd88b379696ce9b

Download Submit
C:\Users\Admin\AppData\Local\mj0SpjJt\wer.dll

Filesize
704KB

MD5
59f423aad48c88cf004d83cd1155298b

SHA1
b71fb71f31e6266d55fc321e40bb2d27a3da1e96

SHA256
85e8362a78c02fab9ea482d1972f68b26a5145ff20efcbf870302484fdea4aa0

SHA512
830d9bd4aba4296a068764843dc074f5ab32d74ba612a1ba5bff22708d3865eff28433fdc45cd975af75a4e56a17f14309b7d23d4fcfb9e2bd9986742f5bfb6e

Download Submit
C:\Users\Admin\AppData\Local\ugJv7\WINMM.dll

Filesize
708KB

MD5
ab325be8a1ebbb16585a231f86cd0be2

SHA1
94891445da2a4034ca9ec53d0103ea7dbf6962d3

SHA256
7e6ea1bf3134eea16b45b3e4c58d598d9a40e45373fd89b578e1ebfeaa0f1257

SHA512
e5638dc43d21381d0e6de404c993ba9dde343eb1477b69a4adfd43c2473da78eca951f05a04c0764c70c1f0393c0dc0d166d7e0230e5be9a9aaf23b06b564233

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
3ad98ca3a99c5bc6893c595e0bbb3b2d

SHA1
059ce2a0187d7c15e088cb7b7f5bade88a680aaf

SHA256
b768d1be7b05de3597123733c0688b5c2aed5f1a35773d07da0362edd4e4788e

SHA512
006d32cf4bf17dd3a869011c2171875db15c73632cbc78d1ec4cb0d729a7cdb2b60bfa248dc7f8e9a2277280cb238a1550f088f41fdd2e4da353ba3a92bbd0ca

Download Submit
\Users\Admin\AppData\Local\1zlZ\mfpmp.exe

Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\mj0SpjJt\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\ugJv7\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
memory/844-2-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/844-1-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/844-43-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-24-0x00000000773E0000-0x00000000773E2000-memory.dmp

Filesize
8KB

Download
memory/1196-11-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-13-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-12-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-23-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-25-0x0000000077410000-0x0000000077412000-memory.dmp

Filesize
8KB

Download
memory/1196-14-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-34-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-35-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-10-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-44-0x0000000077076000-0x0000000077077000-memory.dmp

Filesize
4KB

Download
memory/1196-6-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-7-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-3-0x0000000077076000-0x0000000077077000-memory.dmp

Filesize
4KB

Download
memory/1196-22-0x00000000021B0000-0x00000000021B7000-memory.dmp

Filesize
28KB

Download
memory/1196-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1196-8-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1196-9-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1256-86-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1256-90-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2484-74-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2484-71-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/2740-57-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2740-54-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/2740-52-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads