dridex | 5a3f8dcfab8e9ee7abe3dad7a5a0685a088c108075cbc72f622b8511f79bbf63

General

Target

5a3f8dcfab8e9ee7abe3dad7a5a0685a088c108075cbc72f622b8511f79bbf63.dll
Size

972KB
MD5

f02061a30d702d2dab4bf5d0557a1587
SHA1

e155dc8cc21a6176969c38eacc5e0d5a8d15d452
SHA256

5a3f8dcfab8e9ee7abe3dad7a5a0685a088c108075cbc72f622b8511f79bbf63
SHA512

1bbbbd355f95fefc63758a4e45ad1a43ba03ef2e7629e0253a850924ca0a3fe0789cc7bc0c203b82b4f7004f09016ebad26ff431459bc3488986b785a46a4b5a
SSDEEP

12288:AqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4BaedTJqpq:AqGBHTxvt+g2gYedtu

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3492-3-0x00000000026E0000-0x00000000026E1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3576-1-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/3492-34-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/3492-23-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/3576-37-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/3628-45-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload
behavioral2/memory/3628-49-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload
behavioral2/memory/1616-66-0x0000000140000000-0x00000001400F4000-memory.dmp	dridex_payload
behavioral2/memory/4024-77-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload
behavioral2/memory/4024-81-0x0000000140000000-0x00000001400F5000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

msra.exemsinfo32.exePresentationSettings.exe

pid process

3628 msra.exe
1616 msinfo32.exe
4024 PresentationSettings.exe
Loads dropped DLL 3 IoCs

Processes:

msra.exemsinfo32.exePresentationSettings.exe

pid process

3628 msra.exe
1616 msinfo32.exe
4024 PresentationSettings.exe

pid	process
3628	msra.exe
1616	msinfo32.exe
4024	PresentationSettings.exe

pid	process
3628	msra.exe
1616	msinfo32.exe
4024	PresentationSettings.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\o6r\\msinfo32.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsra.exemsinfo32.exePresentationSettings.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3576	rundll32.exe
3576	rundll32.exe
3576	rundll32.exe
3576	rundll32.exe
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3492

pid	process
3492

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3492 wrote to memory of 852	3492	msra.exe
PID 3492 wrote to memory of 852	3492	msra.exe
PID 3492 wrote to memory of 3628	3492	msra.exe
PID 3492 wrote to memory of 3628	3492	msra.exe
PID 3492 wrote to memory of 3600	3492	msinfo32.exe
PID 3492 wrote to memory of 3600	3492	msinfo32.exe
PID 3492 wrote to memory of 1616	3492	msinfo32.exe
PID 3492 wrote to memory of 1616	3492	msinfo32.exe
PID 3492 wrote to memory of 5040	3492	PresentationSettings.exe
PID 3492 wrote to memory of 5040	3492	PresentationSettings.exe
PID 3492 wrote to memory of 4024	3492	PresentationSettings.exe
PID 3492 wrote to memory of 4024	3492	PresentationSettings.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a3f8dcfab8e9ee7abe3dad7a5a0685a088c108075cbc72f622b8511f79bbf63.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:852

C:\Users\Admin\AppData\Local\vz7zzNlTn\msra.exe
C:\Users\Admin\AppData\Local\vz7zzNlTn\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3628

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:3600

C:\Users\Admin\AppData\Local\F7mh\msinfo32.exe
C:\Users\Admin\AppData\Local\F7mh\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1616

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:5040

C:\Users\Admin\AppData\Local\02pI7\PresentationSettings.exe
C:\Users\Admin\AppData\Local\02pI7\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\02pI7\PresentationSettings.exe

Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\02pI7\WINMM.dll

Filesize
980KB

MD5
560af09186b43023d3965953cd6448da

SHA1
8c87e56cced34d5f7d8c6955391ea40f0cb19fc6

SHA256
79c39bd1a051ae9eed741313f7ab9ee5a9df422ea54861d5f145983bb1959185

SHA512
bf3d80fdca9d07503a5db6e7d9ae30e787438954f85311c24982e2283dfb8f98b1e180fa03c1227f80e415832e64e81233ceea4884594e62ca66c2766627d028

Download Submit
C:\Users\Admin\AppData\Local\F7mh\SLC.dll

Filesize
976KB

MD5
23d4cdcf2917b69891e1c0e92abcc27e

SHA1
5f78068b1f003c018a18d1becebdb89b392e372e

SHA256
2752ca21053d56893cb922ad8ed1eace715e8717f8aa040500bd907cb95d3abf

SHA512
dd03e2a80fdef0c7dd2202dc43a1f76173ca4566fea415803914da52790d465e8094b17b636c348fa64b2a0b3f3da868a9780555570c19733fcf377d7c581367

Download Submit
C:\Users\Admin\AppData\Local\F7mh\msinfo32.exe

Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\vz7zzNlTn\UxTheme.dll

Filesize
976KB

MD5
f277e100b7decf60b57b762481c04d32

SHA1
4549e5436035458c68efda8a6e70065a9d248162

SHA256
dc5a9e37e0a2b6fb2ed191b6b6c106aeb64e6009ff4d4c3306e5e3e4967d86d5

SHA512
1dba1fe533113ce0c0485eb9397f34c57967f4f32f07df8603fa229c95b3e7fe150c34e80bee371a7bf39bf04f53f0fbb9e123e0cd7550658c80f7b30bc3e8b0

Download Submit
C:\Users\Admin\AppData\Local\vz7zzNlTn\msra.exe

Filesize
579KB

MD5
dcda3b7b8eb0bfbccb54b4d6a6844ad6

SHA1
316a2925e451f739f45e31bc233a95f91bf775fa

SHA256
011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

SHA512
18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

Filesize
1KB

MD5
54a05cfc68d5a225327bca993b36f705

SHA1
ea4c0d6a7fa221236c945950d632a7e44bb6367e

SHA256
93566f9b580eb21264772ccf2682def2860ea541def92d3be5b869cbd77f7912

SHA512
a68301968c6cfd815d0278df2ff1d7a427308572320ca4cdca54bf52a1a97a67d62c9fb8eeea4b14f2da66f51a4753726debfec2cdf9c72072aa83f727be8115

Download Submit
memory/1616-66-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/1616-61-0x0000022EF3120000-0x0000022EF3127000-memory.dmp

Filesize
28KB

Download
memory/3492-7-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-24-0x00007FFF2B120000-0x00007FFF2B130000-memory.dmp

Filesize
64KB

Download
memory/3492-23-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-12-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-11-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-9-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-8-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-14-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-6-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-5-0x00007FFF2B07A000-0x00007FFF2B07B000-memory.dmp

Filesize
4KB

Download
memory/3492-25-0x00007FFF2B110000-0x00007FFF2B120000-memory.dmp

Filesize
64KB

Download
memory/3492-34-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-3-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3492-10-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-13-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-22-0x00000000007E0000-0x00000000007E7000-memory.dmp

Filesize
28KB

Download
memory/3576-0-0x000001B145C20000-0x000001B145C27000-memory.dmp

Filesize
28KB

Download
memory/3576-37-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3576-1-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3628-49-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/3628-50-0x000002541AC20000-0x000002541AC27000-memory.dmp

Filesize
28KB

Download
memory/3628-45-0x0000000140000000-0x00000001400F4000-memory.dmp

Filesize
976KB

Download
memory/3628-44-0x000002541AC20000-0x000002541AC27000-memory.dmp

Filesize
28KB

Download
memory/4024-77-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download
memory/4024-81-0x0000000140000000-0x00000001400F5000-memory.dmp

Filesize
980KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads