dridex | 4b773db138c8cc3dc18a140ff7641053a01214ebb3dd8135e53e8d47e9f39d2a

General

Target

4b773db138c8cc3dc18a140ff7641053a01214ebb3dd8135e53e8d47e9f39d2a.dll
Size

952KB
MD5

b432d15a89c0b864b8f28153733c9e2e
SHA1

7dd1e2dd2f3a78cecee6cee02c5725d93a412b46
SHA256

4b773db138c8cc3dc18a140ff7641053a01214ebb3dd8135e53e8d47e9f39d2a
SHA512

4c5eaebdb580839d6611dd34196bb084b79550ee2aa0b19ce26175fa5746ab6921a5b932a59587431abadba12ee95b048f0d2a2bb66e4ca69597bc51f41dec8b
SSDEEP

6144:p34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:pIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2728-0-0x000007FEF5CA0000-0x000007FEF5D8E000-memory.dmp	dridex_payload
behavioral1/memory/1192-19-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral1/memory/1192-26-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral1/memory/1192-37-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral1/memory/1192-39-0x0000000140000000-0x00000001400EE000-memory.dmp	dridex_payload
behavioral1/memory/2728-46-0x000007FEF5CA0000-0x000007FEF5D8E000-memory.dmp	dridex_payload
behavioral1/memory/800-56-0x000007FEF62C0000-0x000007FEF63AF000-memory.dmp	dridex_payload
behavioral1/memory/800-60-0x000007FEF62C0000-0x000007FEF63AF000-memory.dmp	dridex_payload
behavioral1/memory/2480-72-0x000007FEF5CA0000-0x000007FEF5D8F000-memory.dmp	dridex_payload
behavioral1/memory/2480-76-0x000007FEF5CA0000-0x000007FEF5D8F000-memory.dmp	dridex_payload
behavioral1/memory/2324-90-0x000007FEF5CA0000-0x000007FEF5D8F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesHardware.exemblctr.exesigverif.exe

pid process

800 SystemPropertiesHardware.exe
2480 mblctr.exe
2324 sigverif.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesHardware.exemblctr.exesigverif.exe

pid process

1192
800 SystemPropertiesHardware.exe
1192
2480 mblctr.exe
1192
2324 sigverif.exe
1192

pid	process
800	SystemPropertiesHardware.exe
2480	mblctr.exe
2324	sigverif.exe

pid	process
1192
800	SystemPropertiesHardware.exe
1192
2480	mblctr.exe
1192
2324	sigverif.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\3X4ZXP4S\\BSIFJN~1\\mblctr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sigverif.exerundll32.exeSystemPropertiesHardware.exemblctr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSystemPropertiesHardware.exe

pid	process
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
800	SystemPropertiesHardware.exe
800	SystemPropertiesHardware.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 1140	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 1140	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 1140	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 800	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 800	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 800	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 2052	1192	mblctr.exe
PID 1192 wrote to memory of 2052	1192	mblctr.exe
PID 1192 wrote to memory of 2052	1192	mblctr.exe
PID 1192 wrote to memory of 2480	1192	mblctr.exe
PID 1192 wrote to memory of 2480	1192	mblctr.exe
PID 1192 wrote to memory of 2480	1192	mblctr.exe
PID 1192 wrote to memory of 2020	1192	sigverif.exe
PID 1192 wrote to memory of 2020	1192	sigverif.exe
PID 1192 wrote to memory of 2020	1192	sigverif.exe
PID 1192 wrote to memory of 2324	1192	sigverif.exe
PID 1192 wrote to memory of 2324	1192	sigverif.exe
PID 1192 wrote to memory of 2324	1192	sigverif.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b773db138c8cc3dc18a140ff7641053a01214ebb3dd8135e53e8d47e9f39d2a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1140

C:\Users\Admin\AppData\Local\oLuGf531\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\oLuGf531\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:2052

C:\Users\Admin\AppData\Local\t66Xk7LK\mblctr.exe
C:\Users\Admin\AppData\Local\t66Xk7LK\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2480

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:2020

C:\Users\Admin\AppData\Local\R3eA\sigverif.exe
C:\Users\Admin\AppData\Local\R3eA\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\R3eA\VERSION.dll

Filesize
956KB

MD5
bd684729482f9e2639985be0157fc060

SHA1
bd33295d556cd156cf8a62ae451b5b7c15a287b0

SHA256
0e386aca903aecbc96585843b4b829ca4c8900356d64dcb212ce6b0359bd85a2

SHA512
c50d765fb801ebbaef83352967ecfcc09e92ac086f734cfd813c9bf4f0b2c2665ed57ba00386cb386641647d36616ff59768016f9c58e1602d6205a50eaea659

Download Submit
C:\Users\Admin\AppData\Local\oLuGf531\SYSDM.CPL

Filesize
956KB

MD5
ce029a103abd2009272f07e0ca7501c6

SHA1
070bdbec4571cc2b61af9647e6b449955b29e326

SHA256
4eaaeffd71bc8f9770acaad938d3b32c4884a1d14a52bb4cf2a0cf46b37eb2d1

SHA512
1133bcc09c389e837a6764bee60bb9b4bb91e34f4c04a6a2a442c4a11ec3f19f816a027f7589bf41a5058576993345e82ac81637f54a64186ea413812fd3a8df

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
6710e1dfb51c828229e0efc922901df5

SHA1
acd251f621214fe88d76ca009a9e998e4dbf6195

SHA256
1710408f77017d12818cf3e904dd37194e91dc4b5faf4c8a0b7f42f159eb6de0

SHA512
6dcb608eaa373f5639cddcabe10ce47fea26c1796b2bb1bf877803fc4d2495fc10b7d50355b835b77431212c16b13b83c3cf9ca0213d95ec9c844e2eae6247f8

Download Submit
\Users\Admin\AppData\Local\R3eA\sigverif.exe

Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\oLuGf531\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\t66Xk7LK\WTSAPI32.dll

Filesize
956KB

MD5
3d4cbdfde6c5cd85cf19997eb332ff2b

SHA1
c38a02ef674d5df2d0bec9f99f4799d5357e760c

SHA256
27e3ccf2a181412dcf7f61a989ca180210106e12d4c77c3b03a4bc66fa599267

SHA512
c60f818741565d5648f59e8a2167412ed4fd8b69b402a5930eca434061d5f1460a82b3c938f35268a5bc5e8cbe594ad69b0d2efe0ce1d36285c3c7bd3fb0992e

Download Submit
\Users\Admin\AppData\Local\t66Xk7LK\mblctr.exe

Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
memory/800-55-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/800-60-0x000007FEF62C0000-0x000007FEF63AF000-memory.dmp

Filesize
956KB

Download
memory/800-56-0x000007FEF62C0000-0x000007FEF63AF000-memory.dmp

Filesize
956KB

Download
memory/1192-16-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-19-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-14-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-13-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-12-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-11-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-10-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-9-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-8-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-27-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

Filesize
8KB

Download
memory/1192-28-0x0000000076F20000-0x0000000076F22000-memory.dmp

Filesize
8KB

Download
memory/1192-37-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-39-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-3-0x0000000076B86000-0x0000000076B87000-memory.dmp

Filesize
4KB

Download
memory/1192-47-0x0000000076B86000-0x0000000076B87000-memory.dmp

Filesize
4KB

Download
memory/1192-26-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1192-15-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-17-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-25-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

Filesize
28KB

Download
memory/1192-6-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/1192-7-0x0000000140000000-0x00000001400EE000-memory.dmp

Filesize
952KB

Download
memory/2324-90-0x000007FEF5CA0000-0x000007FEF5D8F000-memory.dmp

Filesize
956KB

Download
memory/2480-72-0x000007FEF5CA0000-0x000007FEF5D8F000-memory.dmp

Filesize
956KB

Download
memory/2480-76-0x000007FEF5CA0000-0x000007FEF5D8F000-memory.dmp

Filesize
956KB

Download
memory/2728-2-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2728-46-0x000007FEF5CA0000-0x000007FEF5D8E000-memory.dmp

Filesize
952KB

Download
memory/2728-0-0x000007FEF5CA0000-0x000007FEF5D8E000-memory.dmp

Filesize
952KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads