dridex | 328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a

General

Target

328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a.dll
Size

696KB
MD5

09eac984a186ff4bc57bbf0d7a04057b
SHA1

fbef060f577b7aac6346db2072fc852aa4832b20
SHA256

328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a
SHA512

a690df7c00db4aa59b6a19995754820fc704a8f3524ce4394f8f99e2086b83ba835be63e490e63b59641c2e5ffd7cd575a4313021172351afe5d986a6a50980e
SSDEEP

12288:RqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:RqGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-4-0x00000000026B0000-0x00000000026B1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2120-0-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1196-23-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1196-34-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/1196-35-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2120-43-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral1/memory/2788-53-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/2788-57-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1244-70-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/1244-74-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload
behavioral1/memory/2928-90-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

winlogon.execalc.exeBitLockerWizardElev.exe

pid process

2788 winlogon.exe
1244 calc.exe
2928 BitLockerWizardElev.exe
Loads dropped DLL 7 IoCs

Processes:

winlogon.execalc.exeBitLockerWizardElev.exe

pid process

1196
2788 winlogon.exe
1196
1244 calc.exe
1196
2928 BitLockerWizardElev.exe
1196

pid	process
2788	winlogon.exe
1244	calc.exe
2928	BitLockerWizardElev.exe

pid	process
1196
2788	winlogon.exe
1196
1244	calc.exe
1196
2928	BitLockerWizardElev.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtunysabu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\Yf\\calc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BitLockerWizardElev.exerundll32.exewinlogon.execalc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2120	rundll32.exe
2120	rundll32.exe
2120	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2856	1196	winlogon.exe
PID 1196 wrote to memory of 2856	1196	winlogon.exe
PID 1196 wrote to memory of 2856	1196	winlogon.exe
PID 1196 wrote to memory of 2788	1196	winlogon.exe
PID 1196 wrote to memory of 2788	1196	winlogon.exe
PID 1196 wrote to memory of 2788	1196	winlogon.exe
PID 1196 wrote to memory of 2340	1196	calc.exe
PID 1196 wrote to memory of 2340	1196	calc.exe
PID 1196 wrote to memory of 2340	1196	calc.exe
PID 1196 wrote to memory of 1244	1196	calc.exe
PID 1196 wrote to memory of 1244	1196	calc.exe
PID 1196 wrote to memory of 1244	1196	calc.exe
PID 1196 wrote to memory of 1292	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 1292	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 1292	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 2928	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 2928	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 2928	1196	BitLockerWizardElev.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2856

C:\Users\Admin\AppData\Local\BeSFMekR\winlogon.exe
C:\Users\Admin\AppData\Local\BeSFMekR\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2788

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2340

C:\Users\Admin\AppData\Local\LwSC5ux\calc.exe
C:\Users\Admin\AppData\Local\LwSC5ux\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1244

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:1292

C:\Users\Admin\AppData\Local\dgNJm\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\dgNJm\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BeSFMekR\WINSTA.dll

Filesize
704KB

MD5
42c907d3bbdde9b7450efbc2d76792c0

SHA1
69985d8fbc3083a4dc85eb346c5948b5a9be2118

SHA256
124dca66a23ae69b1e2f433f1961d17435f22455392f67a0a7c420c269b2a6d5

SHA512
d5fb2898eeabab6157bda308e8e88ab0bcfb21137dbd4e85fad082ecad866b3f0bd3facb721c8585a7d4e715864f768c2d99e4a22139aeacfaa34227f73551e3

Download Submit
C:\Users\Admin\AppData\Local\BeSFMekR\winlogon.exe

Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
C:\Users\Admin\AppData\Local\dgNJm\FVEWIZ.dll

Filesize
700KB

MD5
cc20779c870ce8869e1167e69c4f8f1b

SHA1
bef8c39661153ccffbd2e80d90e749dc48ac0d13

SHA256
e25bcd65a373339649be651f40ff8cedde74c0f7e25cc8754b3319906f26cda8

SHA512
d50490b3502b531b24bbedb66ee8ed7a9db1e44173de2d3ed9403abced104a9402a914625d47496ae40c250a678430e9e229558bfa721129ff0c5d31ea2dbe17

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk

Filesize
1KB

MD5
1ae442d834673821c238629a971eb0ca

SHA1
bbb048c3829ed8b01204486e10d1662b5a28682e

SHA256
4b169c3769afd512085d7489698a1fa7b50363bc22259707ad7aa3ed737e9a3b

SHA512
d6906a5cf5ff1b863a9ef3ec468ad8a5cb3f5c4d97483f3d9c3a912e1f85305e28c72008cd69142000cfe81de9785a893c49ff58cfa8bfa0af6bb277caa50c1f

Download Submit
\Users\Admin\AppData\Local\LwSC5ux\UxTheme.dll

Filesize
700KB

MD5
c968c2c26431c79be9162159d0313d4f

SHA1
552d36754ec94bd44e429b32af4d78a1fb43bd91

SHA256
b8416bafc4d3cb642f74a502d3a1d6c0a8fd87971a7d458c834926d6bca15143

SHA512
7309f9ae327b18eea0b87e25d6f1937fa9e7be9d3da24e92daea3abe8451181b21934d7814fc3e75809112cdaf12ba70180f18b9e639c6cea3d38748583673e0

Download Submit
\Users\Admin\AppData\Local\LwSC5ux\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Local\dgNJm\BitLockerWizardElev.exe

Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
memory/1196-24-0x00000000777D0000-0x00000000777D2000-memory.dmp

Filesize
8KB

Download
memory/1196-44-0x0000000077466000-0x0000000077467000-memory.dmp

Filesize
4KB

Download
memory/1196-22-0x0000000002690000-0x0000000002697000-memory.dmp

Filesize
28KB

Download
memory/1196-13-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-12-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-11-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-10-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-23-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-25-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1196-3-0x0000000077466000-0x0000000077467000-memory.dmp

Filesize
4KB

Download
memory/1196-34-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-35-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-4-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1196-14-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-9-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1196-8-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1244-70-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/1244-69-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1244-74-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/2120-43-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2120-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2120-0-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2788-57-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2788-53-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2788-52-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2928-90-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads