dridex | 44eb5b41f8edc6879346d0d3761bdb52f663cc159491af145b0cf3fe5f9bbd7c

General

Target

44eb5b41f8edc6879346d0d3761bdb52f663cc159491af145b0cf3fe5f9bbd7c.dll
Size

696KB
MD5

97e6be25b172a40e98f8efb16c964feb
SHA1

4f42a6cab4d26118d7bfd69acc5b62f9c18b3936
SHA256

44eb5b41f8edc6879346d0d3761bdb52f663cc159491af145b0cf3fe5f9bbd7c
SHA512

3e69201be9918bbd2005b32296dfab4a9ab67ff9fc8970246afee3c740a6c86b2ebc4357612737af90618087f6a83790abf4ef5b3e815978f1cdcdcf9783693e
SSDEEP

12288:pqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:pqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-4-0x0000000002A80000-0x0000000002A81000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2044-0-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1200-23-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1200-35-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1200-34-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2044-43-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1356-54-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1356-57-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2696-74-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1700-90-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rekeywiz.exeNetplwiz.exePresentationSettings.exe

pid process

1356 rekeywiz.exe
2696 Netplwiz.exe
1700 PresentationSettings.exe
Loads dropped DLL 7 IoCs

Processes:

rekeywiz.exeNetplwiz.exePresentationSettings.exe

pid process

1200
1356 rekeywiz.exe
1200
2696 Netplwiz.exe
1200
1700 PresentationSettings.exe
1200

pid	process
1356	rekeywiz.exe
2696	Netplwiz.exe
1700	PresentationSettings.exe

pid	process
1200
1356	rekeywiz.exe
1200
2696	Netplwiz.exe
1200
1700	PresentationSettings.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\Joh\\Netplwiz.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PresentationSettings.exerundll32.exerekeywiz.exeNetplwiz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 2768	1200	rekeywiz.exe
PID 1200 wrote to memory of 2768	1200	rekeywiz.exe
PID 1200 wrote to memory of 2768	1200	rekeywiz.exe
PID 1200 wrote to memory of 1356	1200	rekeywiz.exe
PID 1200 wrote to memory of 1356	1200	rekeywiz.exe
PID 1200 wrote to memory of 1356	1200	rekeywiz.exe
PID 1200 wrote to memory of 2668	1200	Netplwiz.exe
PID 1200 wrote to memory of 2668	1200	Netplwiz.exe
PID 1200 wrote to memory of 2668	1200	Netplwiz.exe
PID 1200 wrote to memory of 2696	1200	Netplwiz.exe
PID 1200 wrote to memory of 2696	1200	Netplwiz.exe
PID 1200 wrote to memory of 2696	1200	Netplwiz.exe
PID 1200 wrote to memory of 2096	1200	PresentationSettings.exe
PID 1200 wrote to memory of 2096	1200	PresentationSettings.exe
PID 1200 wrote to memory of 2096	1200	PresentationSettings.exe
PID 1200 wrote to memory of 1700	1200	PresentationSettings.exe
PID 1200 wrote to memory of 1700	1200	PresentationSettings.exe
PID 1200 wrote to memory of 1700	1200	PresentationSettings.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44eb5b41f8edc6879346d0d3761bdb52f663cc159491af145b0cf3fe5f9bbd7c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:2768

C:\Users\Admin\AppData\Local\1gm\rekeywiz.exe
C:\Users\Admin\AppData\Local\1gm\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1356

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2668

C:\Users\Admin\AppData\Local\mn7\Netplwiz.exe
C:\Users\Admin\AppData\Local\mn7\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2696

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2096

C:\Users\Admin\AppData\Local\aGpedy\PresentationSettings.exe
C:\Users\Admin\AppData\Local\aGpedy\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1gm\slc.dll

Filesize
700KB

MD5
da4fe91a4699db9ddff89c3c4807f86c

SHA1
a9ed25369307b03dbb9f19750f9bb90658f72bad

SHA256
da4cec7fda932683d3ead598d6754c12715df48f1cfc3ad1969bc56844fd42e8

SHA512
4b79db6465ad91628d1bd544b9f2d569bddab64834c3c6b498b9e4a1cf065352d274f72d85533e2bcd4ec184da28475289d5e1f8064219bfabd2fe3bd3e2244c

Download Submit
C:\Users\Admin\AppData\Local\aGpedy\slc.dll

Filesize
700KB

MD5
84204d487981b6d1bc2574d0884d08a7

SHA1
50583407c881f8714b40ddf87e68a50ceefc6199

SHA256
4b477fe273ea6781e17aec3d2f4cb8867956433f5eecdeac7e69554fbd891a24

SHA512
42e625a63b5e2696ec4518d184c50d0460a173bed18098a5c3b0292a3219bb9cd4290d7686413ca4849c1435783db7013712f8f921a40f93e9bd2c89d34079ea

Download Submit
C:\Users\Admin\AppData\Local\mn7\NETPLWIZ.dll

Filesize
700KB

MD5
a56b15be40d5c0e3554d55e8a126d67e

SHA1
c807e380b9bc68b4bd23c872318ac643f6fde824

SHA256
d6d32ddb91c963a0e2f11f72f9545e0b18f93647d06ca6390c49fee1bfdb2bfa

SHA512
93db46e499cf7f8dd500f9445d5225bc402e487d5b43b6a0af127ece6e9f2746ce9cc58af0d814d0fcb3bd830103bf99ddae128cf15dc227a1d22ce44e10cb7f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
b18640e0a7cc0ee6eef70c2c1191b32e

SHA1
0027288ba4cbd1c9da686beb804e0906ae3fe209

SHA256
4bc521d2f1c62ad516bafe13d71faa71c18ad61086451d14b9cb288cb31bfb16

SHA512
bfaf0cdf257a03c1831c3bb71deb386a33c19344126f0945d358f386376b8dfff7767d39b6eaae06b33c3fa1bc578e40772d01d6039b72607a32346483816888

Download Submit
\Users\Admin\AppData\Local\1gm\rekeywiz.exe

Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
\Users\Admin\AppData\Local\aGpedy\PresentationSettings.exe

Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\mn7\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
memory/1200-23-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-44-0x0000000077766000-0x0000000077767000-memory.dmp

Filesize
4KB

Download
memory/1200-11-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-10-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-9-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-8-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-25-0x0000000077A00000-0x0000000077A02000-memory.dmp

Filesize
8KB

Download
memory/1200-24-0x00000000779D0000-0x00000000779D2000-memory.dmp

Filesize
8KB

Download
memory/1200-3-0x0000000077766000-0x0000000077767000-memory.dmp

Filesize
4KB

Download
memory/1200-35-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-34-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1200-12-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-13-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-14-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1200-22-0x0000000002A60000-0x0000000002A67000-memory.dmp

Filesize
28KB

Download
memory/1356-57-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1356-54-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1356-52-0x00000000002E0000-0x00000000002E7000-memory.dmp

Filesize
28KB

Download
memory/1700-90-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2044-43-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2044-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2044-0-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2696-69-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2696-74-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads