dridex | f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37

General

Target

f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37.dll
Size

700KB
MD5

01bd9d7bb1409146b8a1cd2065d17056
SHA1

042d82677a3cbc0de8776cab406c13edd561fa55
SHA256

f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37
SHA512

caf87440b65c8349b4974ebeac64f79e0a052c346827bc9813a906f264935276661ab5c37ce34e586b7c2b15825c7eec144188ae696698e3cef226896e84dda6
SSDEEP

12288:aqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:aqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3404-4-0x0000000002C50000-0x0000000002C51000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3588-0-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3404-34-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3404-23-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3588-37-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/1816-45-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/1816-49-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/4712-60-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/4712-65-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral2/memory/1656-80-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

ProximityUxHost.exeusocoreworker.exeBitLockerWizard.exe

pid process

1816 ProximityUxHost.exe
4712 usocoreworker.exe
1656 BitLockerWizard.exe
Loads dropped DLL 3 IoCs

Processes:

ProximityUxHost.exeusocoreworker.exeBitLockerWizard.exe

pid process

1816 ProximityUxHost.exe
4712 usocoreworker.exe
1656 BitLockerWizard.exe

pid	process
1816	ProximityUxHost.exe
4712	usocoreworker.exe
1656	BitLockerWizard.exe

pid	process
1816	ProximityUxHost.exe
4712	usocoreworker.exe
1656	BitLockerWizard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\5E4XyiSp\\USOCOR~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BitLockerWizard.exerundll32.exeProximityUxHost.exeusocoreworker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProximityUxHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3404

pid	process
3404

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3404 wrote to memory of 940	3404	ProximityUxHost.exe
PID 3404 wrote to memory of 940	3404	ProximityUxHost.exe
PID 3404 wrote to memory of 1816	3404	ProximityUxHost.exe
PID 3404 wrote to memory of 1816	3404	ProximityUxHost.exe
PID 3404 wrote to memory of 4028	3404	usocoreworker.exe
PID 3404 wrote to memory of 4028	3404	usocoreworker.exe
PID 3404 wrote to memory of 4712	3404	usocoreworker.exe
PID 3404 wrote to memory of 4712	3404	usocoreworker.exe
PID 3404 wrote to memory of 4200	3404	BitLockerWizard.exe
PID 3404 wrote to memory of 4200	3404	BitLockerWizard.exe
PID 3404 wrote to memory of 1656	3404	BitLockerWizard.exe
PID 3404 wrote to memory of 1656	3404	BitLockerWizard.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
1⤵
PID:940

C:\Users\Admin\AppData\Local\6PW\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\6PW\ProximityUxHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1816

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:4028

C:\Users\Admin\AppData\Local\eh72C3W\usocoreworker.exe
C:\Users\Admin\AppData\Local\eh72C3W\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4712

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:4200

C:\Users\Admin\AppData\Local\AF6YIkO\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\AF6YIkO\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6PW\ProximityUxHost.exe

Filesize
263KB

MD5
9ea326415b83d77295c70a35feb75577

SHA1
f8fc6a4f7f97b242f35066f61d305e278155b8a8

SHA256
192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

SHA512
2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

Download Submit
C:\Users\Admin\AppData\Local\6PW\WINMM.dll

Filesize
708KB

MD5
0f996d253c2d14ee4514f74f4390a704

SHA1
694bb5d0f27df1c9f52d08f1c2b05c7916f21236

SHA256
cdb8b120a603e03182e08fec1cfd639efc5e33c599b8457b84350e02bd7ef8ae

SHA512
ca37bd53e270f53356b0d16ad14dd52a3c1917636a35727b553e8c8271de2863924d9bd2648e9e03368cb84406d3c622d28bb0e7a1a4631d87aabd0bd2c57bf0

Download Submit
C:\Users\Admin\AppData\Local\AF6YIkO\BitLockerWizard.exe

Filesize
100KB

MD5
6d30c96f29f64b34bc98e4c81d9b0ee8

SHA1
4a3adc355f02b9c69bdbe391bfb01469dee15cf0

SHA256
7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

SHA512
25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

Download Submit
C:\Users\Admin\AppData\Local\AF6YIkO\FVEWIZ.dll

Filesize
704KB

MD5
397a06427016babfb2bf2f49540401dd

SHA1
7b69658c6abefc00042f9b44df1afd0d405a8c3c

SHA256
77671087aab6ec8dbf46131a64ace592d05d1e6dc3b5d385f9f43fb2a6c19795

SHA512
65314069774b34115a78067bd4382fd3bd61baa76a6c3570f0e7c110ced8a58a02678cf1d63afedef7192d2a69c08da0574f772c7353e56fd180145d3b098090

Download Submit
C:\Users\Admin\AppData\Local\eh72C3W\XmlLite.dll

Filesize
704KB

MD5
2f0052c0071202b0e00cc83f5a7550ca

SHA1
3649fd14ed1ed4ec76a0062768fe51404331b619

SHA256
97c7b1fc07faf33dec031a8959e8f59e66f3fe7251ca959bc13c2201fb4efdc7

SHA512
45412534d6845b0dbfc1eff7c2e80b1fb843f53f9779e22ace85bb0a2fb32c6b1436a03d5c2668167a253f55df4886424eed07c16817585d5810630cc01e6e57

Download Submit
C:\Users\Admin\AppData\Local\eh72C3W\usocoreworker.exe

Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
20bc17e2c56b45bbe4389f79cb3f8ec1

SHA1
cd82741da62c24b2b58f95c12e4013afa800d100

SHA256
83e845e77f278f7a5411fd1b269ca5a93319b9afbc25460ce3ccb7a0e791010a

SHA512
1c7352cff60c323186dad97813aa5bc6b4e1ab5d491c1544925e7fd63ec605674252e9d9eb90cf83f171d43caf66c58ff9d44a499bafacdacd1097a839040fcd

Download Submit
memory/1656-80-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1816-49-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1816-45-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1816-44-0x0000028212A80000-0x0000028212A87000-memory.dmp

Filesize
28KB

Download
memory/3404-12-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-4-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/3404-10-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-9-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-8-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-7-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-6-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-11-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-34-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-24-0x00007FFA28B40000-0x00007FFA28B50000-memory.dmp

Filesize
64KB

Download
memory/3404-25-0x00007FFA28B30000-0x00007FFA28B40000-memory.dmp

Filesize
64KB

Download
memory/3404-23-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-13-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-22-0x0000000000D50000-0x0000000000D57000-memory.dmp

Filesize
28KB

Download
memory/3404-14-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3404-3-0x00007FFA284BA000-0x00007FFA284BB000-memory.dmp

Filesize
4KB

Download
memory/3588-0-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3588-37-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3588-2-0x0000020363BC0000-0x0000020363BC7000-memory.dmp

Filesize
28KB

Download
memory/4712-65-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/4712-62-0x00000128964C0000-0x00000128964C7000-memory.dmp

Filesize
28KB

Download
memory/4712-60-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads