dridex | 5a3f8dcfab8e9ee7abe3dad7a5a0685a088c108075cbc72f622b8511f79bbf63

General

Target

5a3f8dcfab8e9ee7abe3dad7a5a0685a088c108075cbc72f622b8511f79bbf63.dll
Size

972KB
MD5

f02061a30d702d2dab4bf5d0557a1587
SHA1

e155dc8cc21a6176969c38eacc5e0d5a8d15d452
SHA256

5a3f8dcfab8e9ee7abe3dad7a5a0685a088c108075cbc72f622b8511f79bbf63
SHA512

1bbbbd355f95fefc63758a4e45ad1a43ba03ef2e7629e0253a850924ca0a3fe0789cc7bc0c203b82b4f7004f09016ebad26ff431459bc3488986b785a46a4b5a
SSDEEP

12288:AqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4BaedTJqpq:AqGBHTxvt+g2gYedtu

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-4-0x0000000002550000-0x0000000002551000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2432-0-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral1/memory/1236-23-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral1/memory/1236-34-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral1/memory/1236-36-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral1/memory/2432-43-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral1/memory/2704-52-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral1/memory/2704-58-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral1/memory/2660-70-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload
behavioral1/memory/2660-75-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload
behavioral1/memory/2028-91-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rdpclip.exeiexpress.exemsdtc.exe

pid process

2704 rdpclip.exe
2660 iexpress.exe
2028 msdtc.exe
Loads dropped DLL 7 IoCs

Processes:

rdpclip.exeiexpress.exemsdtc.exe

pid process

1236
2704 rdpclip.exe
1236
2660 iexpress.exe
1236
2028 msdtc.exe
1236

pid	process
2704	rdpclip.exe
2660	iexpress.exe
2028	msdtc.exe

pid	process
1236
2704	rdpclip.exe
1236
2660	iexpress.exe
1236
2028	msdtc.exe
1236

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\LD8K2Z~1\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exeiexpress.exemsdtc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerdpclip.exe

pid	process
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
2704	rdpclip.exe
2704	rdpclip.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1236 wrote to memory of 2872	1236	rdpclip.exe
PID 1236 wrote to memory of 2872	1236	rdpclip.exe
PID 1236 wrote to memory of 2872	1236	rdpclip.exe
PID 1236 wrote to memory of 2704	1236	rdpclip.exe
PID 1236 wrote to memory of 2704	1236	rdpclip.exe
PID 1236 wrote to memory of 2704	1236	rdpclip.exe
PID 1236 wrote to memory of 1600	1236	iexpress.exe
PID 1236 wrote to memory of 1600	1236	iexpress.exe
PID 1236 wrote to memory of 1600	1236	iexpress.exe
PID 1236 wrote to memory of 2660	1236	iexpress.exe
PID 1236 wrote to memory of 2660	1236	iexpress.exe
PID 1236 wrote to memory of 2660	1236	iexpress.exe
PID 1236 wrote to memory of 1484	1236	msdtc.exe
PID 1236 wrote to memory of 1484	1236	msdtc.exe
PID 1236 wrote to memory of 1484	1236	msdtc.exe
PID 1236 wrote to memory of 2028	1236	msdtc.exe
PID 1236 wrote to memory of 2028	1236	msdtc.exe
PID 1236 wrote to memory of 2028	1236	msdtc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a3f8dcfab8e9ee7abe3dad7a5a0685a088c108075cbc72f622b8511f79bbf63.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2872

C:\Users\Admin\AppData\Local\4cafw\rdpclip.exe
C:\Users\Admin\AppData\Local\4cafw\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:1600

C:\Users\Admin\AppData\Local\vadtu\iexpress.exe
C:\Users\Admin\AppData\Local\vadtu\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2660

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:1484

C:\Users\Admin\AppData\Local\w3kZG4PD\msdtc.exe
C:\Users\Admin\AppData\Local\w3kZG4PD\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4cafw\rdpclip.exe

Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
C:\Users\Admin\AppData\Local\vadtu\VERSION.dll

Filesize
976KB

MD5
846c755b7d5fb108fa1053f2d4e3bd1f

SHA1
fcbbdcdf78d385bae0655251c7fd4d94f1631a95

SHA256
51d768414f5917001c19e272901cab82a8979291d534164b629613159e2eb7af

SHA512
afae7f1d4b942d48d855b1f405f31a49fdcfcda85e15ad8e0c2a220d145c03c60d4ca3effd10bb135d8864411f0f3b9c55f934697687a779346f734272a7993a

Download Submit
C:\Users\Admin\AppData\Local\w3kZG4PD\VERSION.dll

Filesize
976KB

MD5
850829ac130e6bb23e2a9f3f8d89fbb4

SHA1
497523a9773d7be9e13dedbd95ef5388a3ed9352

SHA256
9a2631b7a0f43a42dc464ef5ae12eff8541cf688147d3fa0163d68f92dbcc97d

SHA512
5b2062e44694240f58aa11bc0da81956d165621f34d55e97e2beb3eb7f464fdce6cf33f87589b99cf6acd5dc25884eca2252594dc00fe72c7a09f157a27b1335

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
1KB

MD5
c203cdb030d4e7f43387927f7d3846fc

SHA1
f4cf5b39f782315123dc24a83f1f7fb65002f02b

SHA256
aa1a4586e0d00be109a7dd9fc92616f9297a2fbcf6901ee535fd83a2ef8e38a9

SHA512
51786b337fdd5d1ae4c9fc35fc81efbaa7d8790c470472c40103dc5bc79222cc09a80c440a7134a1eb6c8cd9a428fe7530789a0e3e8a14951a3421d49f1596e8

Download Submit
\Users\Admin\AppData\Local\4cafw\WINSTA.dll

Filesize
980KB

MD5
a3357dea71d1ccda557a09206bccb064

SHA1
0d68828ae8c917a23e05e495b16f53d503cd6100

SHA256
f191951c4d7ad33c8157c181e3d764e5805960c6bfb38b7fb9a9268dbcd2bec7

SHA512
89957ceef39ae3b8a09ba202215b5b238403399581f07fe071f3d9569814480c14b47ba58b89da221e3692a736d1cd38fcf70a5f455142dec9b07ad12bee901f

Download Submit
\Users\Admin\AppData\Local\vadtu\iexpress.exe

Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\w3kZG4PD\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
memory/1236-12-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-14-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-3-0x0000000076FC6000-0x0000000076FC7000-memory.dmp

Filesize
4KB

Download
memory/1236-11-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-9-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-7-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-10-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-23-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-25-0x0000000077360000-0x0000000077362000-memory.dmp

Filesize
8KB

Download
memory/1236-24-0x0000000077330000-0x0000000077332000-memory.dmp

Filesize
8KB

Download
memory/1236-34-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-36-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1236-44-0x0000000076FC6000-0x0000000076FC7000-memory.dmp

Filesize
4KB

Download
memory/1236-22-0x0000000002530000-0x0000000002537000-memory.dmp

Filesize
28KB

Download
memory/1236-13-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-6-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1236-8-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/2028-91-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/2432-43-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/2432-0-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/2432-2-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/2660-70-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/2660-72-0x0000000000510000-0x0000000000517000-memory.dmp

Filesize
28KB

Download
memory/2660-75-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/2704-57-0x00000000FF020000-0x00000000FF059000-memory.dmp

Filesize
228KB

Download
memory/2704-58-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/2704-52-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/2704-54-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads