dridex | 4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa

General

Target

4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa.dll
Size

692KB
MD5

e9531680b8f5142d44285991f2709e0a
SHA1

45d9e59a69ddade77a8f3b4f0edb6deb18e8d3b6
SHA256

4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa
SHA512

dbb8b8208e7f6ebf90a715963d9fdbfdb29c66ce079c9b805f116064e5ffbd334f5ef958279460ac3193a1610eca25d90f7e63c078b0e70369c2d0bef3262617
SSDEEP

12288:AqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:AqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3448-3-0x0000000002E50000-0x0000000002E51000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2872-0-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/3448-22-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/3448-33-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/2872-36-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/4752-52-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/4752-56-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/1028-67-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/1028-71-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/4872-82-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral2/memory/4872-86-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload

Executes dropped EXE 4 IoCs

Processes:

consent.exewusa.exeWindowsActionDialog.exeWFS.exe

pid process

2580 consent.exe
4752 wusa.exe
1028 WindowsActionDialog.exe
4872 WFS.exe
Loads dropped DLL 3 IoCs

Processes:

wusa.exeWindowsActionDialog.exeWFS.exe

pid process

4752 wusa.exe
1028 WindowsActionDialog.exe
4872 WFS.exe

pid	process
2580	consent.exe
4752	wusa.exe
1028	WindowsActionDialog.exe
4872	WFS.exe

pid	process
4752	wusa.exe
1028	WindowsActionDialog.exe
4872	WFS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\MGCAX2~1\\WINDOW~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WindowsActionDialog.exeWFS.exerundll32.exewusa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2872	rundll32.exe
2872	rundll32.exe
2872	rundll32.exe
2872	rundll32.exe
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3448
3448
3448
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3448
3448
3448
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3448

pid	process
3448
3448
3448

pid	process
3448
3448
3448

pid	process
3448

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3448 wrote to memory of 5040	3448	consent.exe
PID 3448 wrote to memory of 5040	3448	consent.exe
PID 3448 wrote to memory of 2580	3448	consent.exe
PID 3448 wrote to memory of 2580	3448	consent.exe
PID 3448 wrote to memory of 1288	3448	wusa.exe
PID 3448 wrote to memory of 1288	3448	wusa.exe
PID 3448 wrote to memory of 4752	3448	wusa.exe
PID 3448 wrote to memory of 4752	3448	wusa.exe
PID 3448 wrote to memory of 3156	3448	WindowsActionDialog.exe
PID 3448 wrote to memory of 3156	3448	WindowsActionDialog.exe
PID 3448 wrote to memory of 1028	3448	WindowsActionDialog.exe
PID 3448 wrote to memory of 1028	3448	WindowsActionDialog.exe
PID 3448 wrote to memory of 4856	3448	WFS.exe
PID 3448 wrote to memory of 4856	3448	WFS.exe
PID 3448 wrote to memory of 4872	3448	WFS.exe
PID 3448 wrote to memory of 4872	3448	WFS.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:5040

C:\Users\Admin\AppData\Local\meKPP\consent.exe
C:\Users\Admin\AppData\Local\meKPP\consent.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:1288

C:\Users\Admin\AppData\Local\4qWa\wusa.exe
C:\Users\Admin\AppData\Local\4qWa\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4752

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:3156

C:\Users\Admin\AppData\Local\WF8m\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\WF8m\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1028

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:4856

C:\Users\Admin\AppData\Local\87h\WFS.exe
C:\Users\Admin\AppData\Local\87h\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4qWa\WTSAPI32.dll

Filesize
696KB

MD5
25a58e1561bef8a3a9e02a36cbde6bd9

SHA1
56de31be4f68874a5f31bd4e69ab30600fdd57ee

SHA256
cc9de7474ee560211b1053f4fd99e79fc53d50f382fe2bbeff15c6055a71d468

SHA512
db29bf59ba6340793e4bd98df8b28b2de8980aa431a6d73d019de0850a5d26b591d6a547ba89c49591f9d880aeb14e3d1c3e4827ad14f8957a1d2b0d63c2fd00

Download Submit
C:\Users\Admin\AppData\Local\4qWa\wusa.exe

Filesize
309KB

MD5
e43499ee2b4cf328a81bace9b1644c5d

SHA1
b2b55641f2799e3fdb3bea709c9532017bbac59d

SHA256
3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

SHA512
04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

Download Submit
C:\Users\Admin\AppData\Local\87h\WFS.exe

Filesize
944KB

MD5
3cbc8d0f65e3db6c76c119ed7c2ffd85

SHA1
e74f794d86196e3bbb852522479946cceeed7e01

SHA256
e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

SHA512
26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

Download Submit
C:\Users\Admin\AppData\Local\87h\WINMM.dll

Filesize
700KB

MD5
cf2b66b356343a9eee9bf788ceb11069

SHA1
1068bce2bc016bab7415b1d0a3427b3c96406ca3

SHA256
f2a4c1187c63a70ab0d89469bfc9bf694820bcb8d557369ce235688ca967a416

SHA512
94699909b7b529de65f3ba01f473f04e0382af116a34f7a55931d6ac7e70a92dfd7de0d2c8f418d6ecd8b76313276ffbefe34fe6069148a98bdad954f686e5c0

Download Submit
C:\Users\Admin\AppData\Local\WF8m\DUI70.dll

Filesize
972KB

MD5
7166cde56420a7405bc40f1bfc4dc428

SHA1
d5f4a3dc7362fccad4159aacfbf29e9f189b248e

SHA256
f1c689623deed7940c70faaa8e546a8a2bfde22483a004dabae76d3f993cfc38

SHA512
d9402a9444792f7a41b487249c6093a751a707cee40f38b9ebb8a7add6db7c0fe11d7006883f75005f53e7feaaf63271859a91f6ab3d830b003797b65bda6c26

Download Submit
C:\Users\Admin\AppData\Local\WF8m\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\meKPP\consent.exe

Filesize
162KB

MD5
6646631ce4ad7128762352da81f3b030

SHA1
1095bd4b63360fc2968d75622aa745e5523428ab

SHA256
56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

SHA512
1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk

Filesize
714B

MD5
001c8b264d69a54bad1b4f19ece04188

SHA1
dfc9991c1abeab91e7827881adcf8ebd51a4b7c9

SHA256
ff7f9bf42581c8c6021cb259eb319b4394ea93ee7d4d95b051930e488901a16a

SHA512
8c650a069a9df095eeedf44c6d041e9923ce29e2116e058c8c66f2856a95bfc021e428e0e128d149d411ba7fc508c899c2f282e9ae60f2263c220f90baa87d0c

Download Submit
memory/1028-67-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1028-71-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/2872-2-0x0000021229610000-0x0000021229617000-memory.dmp

Filesize
28KB

Download
memory/2872-36-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/2872-0-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-10-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-21-0x0000000002D20000-0x0000000002D27000-memory.dmp

Filesize
28KB

Download
memory/3448-7-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-6-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-23-0x00007FFC90F40000-0x00007FFC90F50000-memory.dmp

Filesize
64KB

Download
memory/3448-24-0x00007FFC90F30000-0x00007FFC90F40000-memory.dmp

Filesize
64KB

Download
memory/3448-33-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-22-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-4-0x00007FFC8FBDA000-0x00007FFC8FBDB000-memory.dmp

Filesize
4KB

Download
memory/3448-3-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/3448-12-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-9-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-11-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-8-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3448-13-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/4752-56-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/4752-52-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/4752-51-0x000001B9E67D0000-0x000001B9E67D7000-memory.dmp

Filesize
28KB

Download
memory/4872-82-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/4872-86-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads