dridex | 44eb5b41f8edc6879346d0d3761bdb52f663cc159491af145b0cf3fe5f9bbd7c

General

Target

44eb5b41f8edc6879346d0d3761bdb52f663cc159491af145b0cf3fe5f9bbd7c.dll
Size

696KB
MD5

97e6be25b172a40e98f8efb16c964feb
SHA1

4f42a6cab4d26118d7bfd69acc5b62f9c18b3936
SHA256

44eb5b41f8edc6879346d0d3761bdb52f663cc159491af145b0cf3fe5f9bbd7c
SHA512

3e69201be9918bbd2005b32296dfab4a9ab67ff9fc8970246afee3c740a6c86b2ebc4357612737af90618087f6a83790abf4ef5b3e815978f1cdcdcf9783693e
SSDEEP

12288:pqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:pqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3456-3-0x00000000024E0000-0x00000000024E1000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/5080-0-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3456-23-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3456-35-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/5080-37-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/3928-45-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/3928-49-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/4360-65-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/2380-80-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizard.exeslui.exeSystemPropertiesAdvanced.exe

pid process

3928 BitLockerWizard.exe
4360 slui.exe
2380 SystemPropertiesAdvanced.exe
Loads dropped DLL 3 IoCs

Processes:

BitLockerWizard.exeslui.exeSystemPropertiesAdvanced.exe

pid process

3928 BitLockerWizard.exe
4360 slui.exe
2380 SystemPropertiesAdvanced.exe

pid	process
3928	BitLockerWizard.exe
4360	slui.exe
2380	SystemPropertiesAdvanced.exe

pid	process
3928	BitLockerWizard.exe
4360	slui.exe
2380	SystemPropertiesAdvanced.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\E2IxToDK\\slui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeBitLockerWizard.exeslui.exeSystemPropertiesAdvanced.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3456

pid	process
3456

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3456 wrote to memory of 4676	3456	BitLockerWizard.exe
PID 3456 wrote to memory of 4676	3456	BitLockerWizard.exe
PID 3456 wrote to memory of 3928	3456	BitLockerWizard.exe
PID 3456 wrote to memory of 3928	3456	BitLockerWizard.exe
PID 3456 wrote to memory of 4788	3456	slui.exe
PID 3456 wrote to memory of 4788	3456	slui.exe
PID 3456 wrote to memory of 4360	3456	slui.exe
PID 3456 wrote to memory of 4360	3456	slui.exe
PID 3456 wrote to memory of 3364	3456	SystemPropertiesAdvanced.exe
PID 3456 wrote to memory of 3364	3456	SystemPropertiesAdvanced.exe
PID 3456 wrote to memory of 2380	3456	SystemPropertiesAdvanced.exe
PID 3456 wrote to memory of 2380	3456	SystemPropertiesAdvanced.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44eb5b41f8edc6879346d0d3761bdb52f663cc159491af145b0cf3fe5f9bbd7c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:4676

C:\Users\Admin\AppData\Local\CieDl\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\CieDl\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3928

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:4788

C:\Users\Admin\AppData\Local\FIpxSR\slui.exe
C:\Users\Admin\AppData\Local\FIpxSR\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4360

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:3364

C:\Users\Admin\AppData\Local\gF7Q9NxJf\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\gF7Q9NxJf\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CieDl\BitLockerWizard.exe

Filesize
100KB

MD5
6d30c96f29f64b34bc98e4c81d9b0ee8

SHA1
4a3adc355f02b9c69bdbe391bfb01469dee15cf0

SHA256
7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

SHA512
25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

Download Submit
C:\Users\Admin\AppData\Local\CieDl\FVEWIZ.dll

Filesize
700KB

MD5
b888dda0bc7a42f18852cc33589f8e4f

SHA1
2305a2e56e39f30bc1e17e54a76a8a0b19a6ff38

SHA256
13085a2e481545b0e89555321277aad630668bf356f0a7239ec8d39e75a57e61

SHA512
c251b045c0b62535c32ba06617010cae1a3c4c1faddf9f8bbc12e7e606e03a232fb1143349a862a165288c7baac516e1404c3eb2433c4dda3c8ef7c36fa7b5e7

Download Submit
C:\Users\Admin\AppData\Local\FIpxSR\SLC.dll

Filesize
700KB

MD5
179a4a5115451d887ebad260cb535dbe

SHA1
1f26bccc6055f6fb5b19a13d95a0a718d8d7a992

SHA256
06a1c2c31c097ce06efbaced02ed231981063e8ff083b9c8c783d4fc0a7d0c5f

SHA512
dbdc6416b0c1471328fb2de87c540e7f24a2045b147118783f1e2a2e2967a30092c1f3e4899a0a4f641fd2bd83498ddf0b6526a04870c46dd265aa4887c40a9b

Download Submit
C:\Users\Admin\AppData\Local\FIpxSR\slui.exe

Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Local\gF7Q9NxJf\SYSDM.CPL

Filesize
700KB

MD5
3f5d51764d16686e20ede833a4ea3271

SHA1
d6885ba311e7244e25501677389ad04704163d8d

SHA256
efd4e38e10c4892c474364de15525aa48f564900c671e5548fc5f4d90e8d3731

SHA512
e856eac2b5bd5dc1f847f219421ddce4bd9252ac5acf30d93506c25739c69cc933b96b6197cb18d18d2afd7d3e8af3773defe6da6d286973cab13051007ffdd7

Download Submit
C:\Users\Admin\AppData\Local\gF7Q9NxJf\SystemPropertiesAdvanced.exe

Filesize
82KB

MD5
fa040b18d2d2061ab38cf4e52e753854

SHA1
b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

SHA256
c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

SHA512
511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
74b50e1581c3929939653f9111b23ce3

SHA1
0eec372987e06ba79e68bcbd445e4386db32c480

SHA256
107d045bd43eb870332f6b542d87abfad9727cf9db9d2592eff4466ce4ec0328

SHA512
f4ddb37dc6a1d765cb7b95a7fc12992d77a79b62e9f58eb02465e0625f129c4584d138b1a50294b2b57f61dcd479404eac5cbe3d66cce647c7b7a07a09d194e9

Download Submit
memory/2380-80-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3456-10-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-14-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-24-0x00007FFE73320000-0x00007FFE73330000-memory.dmp

Filesize
64KB

Download
memory/3456-23-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-9-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-13-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-8-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-35-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-5-0x00007FFE7319A000-0x00007FFE7319B000-memory.dmp

Filesize
4KB

Download
memory/3456-3-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3456-11-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-12-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3456-22-0x00000000006B0000-0x00000000006B7000-memory.dmp

Filesize
28KB

Download
memory/3456-25-0x00007FFE73310000-0x00007FFE73320000-memory.dmp

Filesize
64KB

Download
memory/3928-49-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3928-45-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3928-44-0x0000026B46A80000-0x0000026B46A87000-memory.dmp

Filesize
28KB

Download
memory/4360-60-0x000002B859F70000-0x000002B859F77000-memory.dmp

Filesize
28KB

Download
memory/4360-65-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/5080-2-0x0000021D6D550000-0x0000021D6D557000-memory.dmp

Filesize
28KB

Download
memory/5080-37-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/5080-0-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads