dridex | 9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7

General

Target

9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll
Size

1.2MB
MD5

02cc0f2d0a0c7407558ac5a569c4e04c
SHA1

4b7060c03c224e42c420651368c73dbddcc3a3e3
SHA256

9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7
SHA512

ac134e657c9ec47511245fdcbf717221a83eda2faea7e57560a59e212efa9312f4f13abc29b81be6210405680f507c5d921c4f6fe9ec933249c093e342eef554
SSDEEP

6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTI:kIKp/UWCZdCDh2IZDwAFRpR6Aup

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-4-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/848-1-0x000007FEF7BC0000-0x000007FEF7CF3000-memory.dmp	dridex_payload
behavioral1/memory/1196-26-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/1196-18-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/1196-37-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/1196-39-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/848-46-0x000007FEF7BC0000-0x000007FEF7CF3000-memory.dmp	dridex_payload
behavioral1/memory/2720-55-0x000007FEF7D00000-0x000007FEF7E34000-memory.dmp	dridex_payload
behavioral1/memory/2720-59-0x000007FEF7D00000-0x000007FEF7E34000-memory.dmp	dridex_payload
behavioral1/memory/2528-69-0x000007FEF7BD0000-0x000007FEF7D04000-memory.dmp	dridex_payload
behavioral1/memory/2528-74-0x000007FEF7BD0000-0x000007FEF7D04000-memory.dmp	dridex_payload
behavioral1/memory/2580-86-0x000007FEF7BD0000-0x000007FEF7D05000-memory.dmp	dridex_payload
behavioral1/memory/2580-90-0x000007FEF7BD0000-0x000007FEF7D05000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

wisptis.exeDxpserver.exewinlogon.exe

pid process

2720 wisptis.exe
2528 Dxpserver.exe
2580 winlogon.exe
Loads dropped DLL 7 IoCs

Processes:

wisptis.exeDxpserver.exewinlogon.exe

pid process

1196
2720 wisptis.exe
1196
2528 Dxpserver.exe
1196
2580 winlogon.exe
1196

pid	process
2720	wisptis.exe
2528	Dxpserver.exe
2580	winlogon.exe

pid	process
1196
2720	wisptis.exe
1196
2528	Dxpserver.exe
1196
2580	winlogon.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\ILDd\\Dxpserver.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exerundll32.exewisptis.exeDxpserver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
848	rundll32.exe
848	rundll32.exe
848	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2700	1196	wisptis.exe
PID 1196 wrote to memory of 2700	1196	wisptis.exe
PID 1196 wrote to memory of 2700	1196	wisptis.exe
PID 1196 wrote to memory of 2720	1196	wisptis.exe
PID 1196 wrote to memory of 2720	1196	wisptis.exe
PID 1196 wrote to memory of 2720	1196	wisptis.exe
PID 1196 wrote to memory of 2744	1196	Dxpserver.exe
PID 1196 wrote to memory of 2744	1196	Dxpserver.exe
PID 1196 wrote to memory of 2744	1196	Dxpserver.exe
PID 1196 wrote to memory of 2528	1196	Dxpserver.exe
PID 1196 wrote to memory of 2528	1196	Dxpserver.exe
PID 1196 wrote to memory of 2528	1196	Dxpserver.exe
PID 1196 wrote to memory of 2536	1196	winlogon.exe
PID 1196 wrote to memory of 2536	1196	winlogon.exe
PID 1196 wrote to memory of 2536	1196	winlogon.exe
PID 1196 wrote to memory of 2580	1196	winlogon.exe
PID 1196 wrote to memory of 2580	1196	winlogon.exe
PID 1196 wrote to memory of 2580	1196	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:2700

C:\Users\Admin\AppData\Local\VftOyaYY4\wisptis.exe
C:\Users\Admin\AppData\Local\VftOyaYY4\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2720

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2744

C:\Users\Admin\AppData\Local\DIIEM\Dxpserver.exe
C:\Users\Admin\AppData\Local\DIIEM\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2528

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2536

C:\Users\Admin\AppData\Local\RokxI\winlogon.exe
C:\Users\Admin\AppData\Local\RokxI\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DIIEM\dwmapi.dll

Filesize
1.2MB

MD5
63df3eb72a8ba5a3d1450716397aaf54

SHA1
51d345501cf6fbc83d04414563f46564a14ae736

SHA256
335a1803bab0f3cb2a8d9c890ac9745cc5449a16dab6766402c251f01fe66643

SHA512
9e57418d5a2eadadae6f8a1b1baef30b22a0ec9562c6fc5acbd42631982dfeea8a3f9f675eeee757b3482c736a8b944a58f7112c962ebc397f302993844e3b8c

Download Submit
C:\Users\Admin\AppData\Local\RokxI\WINSTA.dll

Filesize
1.2MB

MD5
4b990c31f8e3a477248f66cd51102f98

SHA1
cec8023ac85f5a16705b1aab6ce15eb2cb3eda4f

SHA256
6cb435613870890d72fccae2e09e242d1eac5055a0708c5c2680cb82372116cc

SHA512
e9279578b121431fbd1f06166c36de387c929c5f08d9773539a1ec10dcaa32eec4dd3176f7f947bc0448e68afa46d43f46e9c092ee7a667f2ba06c3ba4b0902f

Download Submit
C:\Users\Admin\AppData\Local\VftOyaYY4\slc.dll

Filesize
1.2MB

MD5
a4573de459e318ce7e5b5d85ac94bce7

SHA1
a8673aaf23973fb5138d141f5db7c59469125736

SHA256
517781fe73d2d077fd8268ff1acc09937c5af1518f07aa11b249f79c98b7b0f4

SHA512
4944f222f0bc63fd43a9258c16b9bea8d9d9deeea9b1aa340f7a2934ab28223840f458050c852864bbb135f1dc4facdfc2d86e85ff43bd688d0a69dbbc295fd3

Download Submit
C:\Users\Admin\AppData\Local\VftOyaYY4\wisptis.exe

Filesize
396KB

MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1KB

MD5
b848a315f7975a7bff7eef7829e098c0

SHA1
45e25d5168b2483b11716c30cdb9f674f2e1c9b5

SHA256
afb6dabd1cf2c535acfaad4e8f436233e41ba14c2df47c84280cd314007b5816

SHA512
a209f4c3abde673b26652b697394cdd0ff5f48825a11bb7ad53e46b6b3f77a09c8899110241ff9c005bc0fad3eff7920b9b3f5d11860b6c64475b57ad6620468

Download Submit
\Users\Admin\AppData\Local\DIIEM\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\RokxI\winlogon.exe

Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
memory/848-0-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/848-1-0x000007FEF7BC0000-0x000007FEF7CF3000-memory.dmp

Filesize
1.2MB

Download
memory/848-46-0x000007FEF7BC0000-0x000007FEF7CF3000-memory.dmp

Filesize
1.2MB

Download
memory/1196-14-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-16-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-13-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-12-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-11-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-10-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-9-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-8-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-18-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-28-0x0000000077AB0000-0x0000000077AB2000-memory.dmp

Filesize
8KB

Download
memory/1196-27-0x0000000077A80000-0x0000000077A82000-memory.dmp

Filesize
8KB

Download
memory/1196-37-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-39-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-15-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-47-0x0000000077816000-0x0000000077817000-memory.dmp

Filesize
4KB

Download
memory/1196-26-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-17-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-3-0x0000000077816000-0x0000000077817000-memory.dmp

Filesize
4KB

Download
memory/1196-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1196-6-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1196-21-0x0000000002090000-0x0000000002097000-memory.dmp

Filesize
28KB

Download
memory/1196-7-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2528-69-0x000007FEF7BD0000-0x000007FEF7D04000-memory.dmp

Filesize
1.2MB

Download
memory/2528-71-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2528-74-0x000007FEF7BD0000-0x000007FEF7D04000-memory.dmp

Filesize
1.2MB

Download
memory/2580-86-0x000007FEF7BD0000-0x000007FEF7D05000-memory.dmp

Filesize
1.2MB

Download
memory/2580-90-0x000007FEF7BD0000-0x000007FEF7D05000-memory.dmp

Filesize
1.2MB

Download
memory/2720-59-0x000007FEF7D00000-0x000007FEF7E34000-memory.dmp

Filesize
1.2MB

Download
memory/2720-55-0x000007FEF7D00000-0x000007FEF7E34000-memory.dmp

Filesize
1.2MB

Download
memory/2720-58-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads