dridex | 5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6

General

Target

5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6.dll
Size

668KB
MD5

6e81fa44ba1b79c29a1f1e2e6af6faaf
SHA1

993d4e84074a54b99a356eb3224eceb7e0b7e0f6
SHA256

5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6
SHA512

ebd94dce5c34630905ed744e7b75af2c1d934241e86717069f5b66e900906082b500f5cb494e60d5126785c569db2475e7a7732846f3b0dd1dde024643783c25
SSDEEP

6144:p34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:pIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3356-3-0x0000000002350000-0x0000000002351000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3340-0-0x00007FFA4C3F0000-0x00007FFA4C497000-memory.dmp	dridex_payload
behavioral2/memory/3356-15-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/3356-23-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/3356-34-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral2/memory/3340-37-0x00007FFA4C3F0000-0x00007FFA4C497000-memory.dmp	dridex_payload
behavioral2/memory/740-44-0x00007FFA3D5C0000-0x00007FFA3D668000-memory.dmp	dridex_payload
behavioral2/memory/740-49-0x00007FFA3D5C0000-0x00007FFA3D668000-memory.dmp	dridex_payload
behavioral2/memory/3084-65-0x00007FFA3D5C0000-0x00007FFA3D668000-memory.dmp	dridex_payload
behavioral2/memory/2432-80-0x00007FFA3D5C0000-0x00007FFA3D668000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

lpksetup.exeSystemPropertiesDataExecutionPrevention.exeSystemPropertiesProtection.exe

pid process

740 lpksetup.exe
3084 SystemPropertiesDataExecutionPrevention.exe
2432 SystemPropertiesProtection.exe
Loads dropped DLL 3 IoCs

Processes:

lpksetup.exeSystemPropertiesDataExecutionPrevention.exeSystemPropertiesProtection.exe

pid process

740 lpksetup.exe
3084 SystemPropertiesDataExecutionPrevention.exe
2432 SystemPropertiesProtection.exe

pid	process
740	lpksetup.exe
3084	SystemPropertiesDataExecutionPrevention.exe
2432	SystemPropertiesProtection.exe

pid	process
740	lpksetup.exe
3084	SystemPropertiesDataExecutionPrevention.exe
2432	SystemPropertiesProtection.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qhmytabp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\DOCUME~1\\GPu2QX\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exelpksetup.exeSystemPropertiesDataExecutionPrevention.exeSystemPropertiesProtection.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3340	rundll32.exe
3340	rundll32.exe
3340	rundll32.exe
3340	rundll32.exe
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3356
3356

pid	process
3356
3356

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3356 wrote to memory of 1656	3356	lpksetup.exe
PID 3356 wrote to memory of 1656	3356	lpksetup.exe
PID 3356 wrote to memory of 740	3356	lpksetup.exe
PID 3356 wrote to memory of 740	3356	lpksetup.exe
PID 3356 wrote to memory of 644	3356	SystemPropertiesDataExecutionPrevention.exe
PID 3356 wrote to memory of 644	3356	SystemPropertiesDataExecutionPrevention.exe
PID 3356 wrote to memory of 3084	3356	SystemPropertiesDataExecutionPrevention.exe
PID 3356 wrote to memory of 3084	3356	SystemPropertiesDataExecutionPrevention.exe
PID 3356 wrote to memory of 4524	3356	SystemPropertiesProtection.exe
PID 3356 wrote to memory of 4524	3356	SystemPropertiesProtection.exe
PID 3356 wrote to memory of 2432	3356	SystemPropertiesProtection.exe
PID 3356 wrote to memory of 2432	3356	SystemPropertiesProtection.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3340

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1656

C:\Users\Admin\AppData\Local\e03\lpksetup.exe
C:\Users\Admin\AppData\Local\e03\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:740

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:644

C:\Users\Admin\AppData\Local\PhthFUR\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\PhthFUR\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3084

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:4524

C:\Users\Admin\AppData\Local\47u1H\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\47u1H\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\47u1H\SYSDM.CPL

Filesize
672KB

MD5
dd797f2a014f4bcccc462797b90a8711

SHA1
45fb434262bbabb7e72ab50b7ee1cad1fefe9ba4

SHA256
95ee113e112409327a6d5a130edd5b866ad92b7838c19518a3cf7d111b61f7a0

SHA512
03af679d4895f8f456e30559c5181afcc4119610f5c333b567e1894d1351f017524b8c42767cea090a9adf10e9677840ea27383025ba87fae07eb287eb1c716c

Download Submit
C:\Users\Admin\AppData\Local\47u1H\SystemPropertiesProtection.exe

Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
C:\Users\Admin\AppData\Local\PhthFUR\SYSDM.CPL

Filesize
672KB

MD5
237f1ec615870a65eef95c415ca8151b

SHA1
edec4c5ed6c156737ad68646c41cbe285e391701

SHA256
326fe61599c498648634d36d9c276634782d03172867681e9113a3224193b68f

SHA512
28da64ba4b60dd24604f5fdfdbd4b853d9a82e4e30845fb9c7a2aaef5e6c1fdbe15f0288e3b8b3415cdf8ccaa19b79b44ccca245d50caa099d2a9d1f5f45d53a

Download Submit
C:\Users\Admin\AppData\Local\PhthFUR\SystemPropertiesDataExecutionPrevention.exe

Filesize
82KB

MD5
de58532954c2704f2b2309ffc320651d

SHA1
0a9fc98f4d47dccb0b231edf9a63309314f68e3b

SHA256
1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

SHA512
d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

Download Submit
C:\Users\Admin\AppData\Local\e03\dpx.dll

Filesize
672KB

MD5
74e75f7a7e1ab0d7db7442a56c73ee21

SHA1
cdaed41df02fde5a8f0d9e537077e26747356cea

SHA256
e660b2d5dc301f4e09ff35cf64f5d0f8049c8f04e5cd4d0aae7192ece5c4fb51

SHA512
2f913610ab3360adca6d47944ae917f25b093639cca8e0910ce9b3edd1b12a9a9dea62958ce73f1c0cee504109a04ee49fb41750935c02019f7a76ac93a15050

Download Submit
C:\Users\Admin\AppData\Local\e03\lpksetup.exe

Filesize
728KB

MD5
c75516a32e0aea02a184074d55d1a997

SHA1
f9396946c078f8b0f28e3a6e21a97eeece31d13f

SHA256
cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

SHA512
92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk

Filesize
1KB

MD5
cdd21e5b8abf3d146431a0b92ce7192f

SHA1
47906c16c24281d988b11fff8068862ea94ab50b

SHA256
2e4e5798e70f32f7158b32f4c629ed7e5eb2d7ff68b864c284c4833a5c2f6888

SHA512
bae3a14fa7687d46e992a2253225945f5f5ec037ca28eca8a1c5e6bf5c3e4e5633bd138d4654119e8fb40b7b89245e05d1b681c78c864f3abe75797272243761

Download Submit
memory/740-49-0x00007FFA3D5C0000-0x00007FFA3D668000-memory.dmp

Filesize
672KB

Download
memory/740-46-0x0000027CC6730000-0x0000027CC6737000-memory.dmp

Filesize
28KB

Download
memory/740-44-0x00007FFA3D5C0000-0x00007FFA3D668000-memory.dmp

Filesize
672KB

Download
memory/2432-80-0x00007FFA3D5C0000-0x00007FFA3D668000-memory.dmp

Filesize
672KB

Download
memory/3084-65-0x00007FFA3D5C0000-0x00007FFA3D668000-memory.dmp

Filesize
672KB

Download
memory/3084-62-0x00000156A9780000-0x00000156A9787000-memory.dmp

Filesize
28KB

Download
memory/3340-2-0x000002875FA90000-0x000002875FA97000-memory.dmp

Filesize
28KB

Download
memory/3340-37-0x00007FFA4C3F0000-0x00007FFA4C497000-memory.dmp

Filesize
668KB

Download
memory/3340-0-0x00007FFA4C3F0000-0x00007FFA4C497000-memory.dmp

Filesize
668KB

Download
memory/3356-23-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-24-0x00007FFA5AF60000-0x00007FFA5AF70000-memory.dmp

Filesize
64KB

Download
memory/3356-7-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-6-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-9-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-10-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-14-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-11-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-34-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-8-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-25-0x00007FFA5AF50000-0x00007FFA5AF60000-memory.dmp

Filesize
64KB

Download
memory/3356-12-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-22-0x00000000004D0000-0x00000000004D7000-memory.dmp

Filesize
28KB

Download
memory/3356-15-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-13-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/3356-3-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3356-5-0x00007FFA5923A000-0x00007FFA5923B000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads