dridex | 8b32751a6432113ee710babcc5315a8aabf4b5a3647bf15aa345a6e3dd63f086

General

Target

8b32751a6432113ee710babcc5315a8aabf4b5a3647bf15aa345a6e3dd63f086.dll
Size

944KB
MD5

342cec4e287b2f1285f18c63c01fc5e4
SHA1

ba8832830889724887ef7ee003f2a3eed503e4b7
SHA256

8b32751a6432113ee710babcc5315a8aabf4b5a3647bf15aa345a6e3dd63f086
SHA512

517db6bf9b425716f80afac7f2e6d897c2fecf84adfad35cec156809bcfb634ce4700b17f7d3810b5e9b10bbd784665097d62afa1e81f625b8827ea5e81cdec2
SSDEEP

6144:s34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTg:sIKp/UWCZdCDh2IZDwAFRpR6Auk6kK

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-4-0x0000000002E20000-0x0000000002E21000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2884-0-0x000007FEF6C50000-0x000007FEF6D3C000-memory.dmp	dridex_payload
behavioral1/memory/1196-16-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1196-24-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1196-36-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1196-35-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2884-44-0x000007FEF6C50000-0x000007FEF6D3C000-memory.dmp	dridex_payload
behavioral1/memory/572-55-0x000007FEF71C0000-0x000007FEF72AD000-memory.dmp	dridex_payload
behavioral1/memory/572-58-0x000007FEF71C0000-0x000007FEF72AD000-memory.dmp	dridex_payload
behavioral1/memory/2604-71-0x000007FEF6C40000-0x000007FEF6D33000-memory.dmp	dridex_payload
behavioral1/memory/2604-75-0x000007FEF6C40000-0x000007FEF6D33000-memory.dmp	dridex_payload
behavioral1/memory/2776-91-0x000007FEF6C40000-0x000007FEF6D33000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

fveprompt.exemsinfo32.exemsconfig.exe

pid process

572 fveprompt.exe
2604 msinfo32.exe
2776 msconfig.exe
Loads dropped DLL 7 IoCs

Processes:

fveprompt.exemsinfo32.exemsconfig.exe

pid process

1196
572 fveprompt.exe
1196
2604 msinfo32.exe
1196
2776 msconfig.exe
1196

pid	process
572	fveprompt.exe
2604	msinfo32.exe
2776	msconfig.exe

pid	process
1196
572	fveprompt.exe
1196
2604	msinfo32.exe
1196
2776	msconfig.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uuyszikihxbb = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\dE\\msinfo32.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exefveprompt.exemsinfo32.exemsconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 1864	1196	fveprompt.exe
PID 1196 wrote to memory of 1864	1196	fveprompt.exe
PID 1196 wrote to memory of 1864	1196	fveprompt.exe
PID 1196 wrote to memory of 572	1196	fveprompt.exe
PID 1196 wrote to memory of 572	1196	fveprompt.exe
PID 1196 wrote to memory of 572	1196	fveprompt.exe
PID 1196 wrote to memory of 2588	1196	msinfo32.exe
PID 1196 wrote to memory of 2588	1196	msinfo32.exe
PID 1196 wrote to memory of 2588	1196	msinfo32.exe
PID 1196 wrote to memory of 2604	1196	msinfo32.exe
PID 1196 wrote to memory of 2604	1196	msinfo32.exe
PID 1196 wrote to memory of 2604	1196	msinfo32.exe
PID 1196 wrote to memory of 2504	1196	msconfig.exe
PID 1196 wrote to memory of 2504	1196	msconfig.exe
PID 1196 wrote to memory of 2504	1196	msconfig.exe
PID 1196 wrote to memory of 2776	1196	msconfig.exe
PID 1196 wrote to memory of 2776	1196	msconfig.exe
PID 1196 wrote to memory of 2776	1196	msconfig.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8b32751a6432113ee710babcc5315a8aabf4b5a3647bf15aa345a6e3dd63f086.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:1864

C:\Users\Admin\AppData\Local\ubq\fveprompt.exe
C:\Users\Admin\AppData\Local\ubq\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:572

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2588

C:\Users\Admin\AppData\Local\IwRZmhOf3\msinfo32.exe
C:\Users\Admin\AppData\Local\IwRZmhOf3\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2604

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2504

C:\Users\Admin\AppData\Local\lY3US0\msconfig.exe
C:\Users\Admin\AppData\Local\lY3US0\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IwRZmhOf3\MFC42u.dll

Filesize
972KB

MD5
f9ab445b0dbb3ccd11478a4fc53f3c23

SHA1
f4291b83dc197c6009dcd65a2eee509088b0439a

SHA256
d1fbe17d424e1c1c684e3f7341cfe6087c2c6bd7a3e66608f8db402cc1b8ee94

SHA512
b5e0cf7bafe477a9c3088ca33b9f9f2edfff69bb61e1f4c013cc91cb411dbe066a3626c41bd3a2de1f69d8b697b37c69eb85bd19cb7ef670db827ac1937f2df5

Download Submit
C:\Users\Admin\AppData\Local\lY3US0\MFC42u.dll

Filesize
972KB

MD5
f7bd7ee773136524acf40d0377107e95

SHA1
2d4bac1f831da29c40b1e128b01ccd46bfed5cc9

SHA256
cfbca14647f2c34b369b8aa04fc0485460c7793345012648fe918a16e5be54de

SHA512
3376262b7d6538a7dd4dd04aa8e8d2dd9acec5965647b2adac86c7a8c77b2cee80a79d6c0b8167c80f209f10126f76061ddb2615fd0f77e9b7e79ea536642b7e

Download Submit
C:\Users\Admin\AppData\Local\ubq\slc.dll

Filesize
948KB

MD5
9fa86a01d9d9297afef1de8262ffc5ad

SHA1
2246a4739ec7b2890f254388c15ee378feef2541

SHA256
afa68613f637d653f918bf24355ef01651f9a9a772077d3d97f7b3a90363161f

SHA512
77061b4740216c8a5b4388b1b54e067c8858c100c3f79e2e2d0f17ac4b91d2ab95128f76f958046db641429d9fd654f958d885833e88a82e6455f551a45f3605

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk

Filesize
1KB

MD5
2c28a147c50e037de0b23e0da0cc026f

SHA1
545585a1d19b6d73d25494f26f82ade07f7a9660

SHA256
a1f14faf1d55dfa50ee36487cac3627c4fd77788fb2fba8b67f26a80fabe8608

SHA512
b8b455e0898da53580bba4ef77f97217b64218d492fd4cfbd4edaee38cfbbc3fb42e4065d9c7a0f2133ebbc4f13da082683b3549301309d58368cc1b882c01f4

Download Submit
\Users\Admin\AppData\Local\IwRZmhOf3\msinfo32.exe

Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
\Users\Admin\AppData\Local\lY3US0\msconfig.exe

Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\ubq\fveprompt.exe

Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
memory/572-58-0x000007FEF71C0000-0x000007FEF72AD000-memory.dmp

Filesize
948KB

Download
memory/572-55-0x000007FEF71C0000-0x000007FEF72AD000-memory.dmp

Filesize
948KB

Download
memory/572-53-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1196-13-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-14-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-11-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-10-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-9-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-8-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-7-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-26-0x0000000077CA0000-0x0000000077CA2000-memory.dmp

Filesize
8KB

Download
memory/1196-25-0x0000000077C70000-0x0000000077C72000-memory.dmp

Filesize
8KB

Download
memory/1196-36-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-35-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-3-0x0000000077A06000-0x0000000077A07000-memory.dmp

Filesize
4KB

Download
memory/1196-45-0x0000000077A06000-0x0000000077A07000-memory.dmp

Filesize
4KB

Download
memory/1196-12-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1196-24-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-16-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-23-0x0000000002E30000-0x0000000002E37000-memory.dmp

Filesize
28KB

Download
memory/1196-15-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1196-6-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2604-70-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2604-71-0x000007FEF6C40000-0x000007FEF6D33000-memory.dmp

Filesize
972KB

Download
memory/2604-75-0x000007FEF6C40000-0x000007FEF6D33000-memory.dmp

Filesize
972KB

Download
memory/2776-91-0x000007FEF6C40000-0x000007FEF6D33000-memory.dmp

Filesize
972KB

Download
memory/2884-0-0x000007FEF6C50000-0x000007FEF6D3C000-memory.dmp

Filesize
944KB

Download
memory/2884-44-0x000007FEF6C50000-0x000007FEF6D3C000-memory.dmp

Filesize
944KB

Download
memory/2884-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads