dridex | 21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f

General

Target

21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll
Size

1.2MB
MD5

2a6a4941d8146df58356dd5c72b0478a
SHA1

c6f28c746bddcc4e68512911bc99afe0d8f2d3d9
SHA256

21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f
SHA512

5d36fd395ea33e9a838fca4b5b0a7eabe893fb6e51f39e2aae59ad60c763e6b5bf83e2cedbe9095b74bff682ee300f13c777254e81e4ef724699167f1f5094f9
SSDEEP

6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTP:kIKp/UWCZdCDh2IZDwAFRpR6Au+

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3408-4-0x0000000002FE0000-0x0000000002FE1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2412-2-0x00007FFE4E530000-0x00007FFE4E663000-memory.dmp	dridex_payload
behavioral2/memory/3408-18-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/3408-26-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/3408-37-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral2/memory/2412-40-0x00007FFE4E530000-0x00007FFE4E663000-memory.dmp	dridex_payload
behavioral2/memory/4868-48-0x00007FFE445F0000-0x00007FFE44725000-memory.dmp	dridex_payload
behavioral2/memory/4868-52-0x00007FFE445F0000-0x00007FFE44725000-memory.dmp	dridex_payload
behavioral2/memory/4716-64-0x00007FFE447A0000-0x00007FFE448D4000-memory.dmp	dridex_payload
behavioral2/memory/4716-67-0x00007FFE447A0000-0x00007FFE448D4000-memory.dmp	dridex_payload
behavioral2/memory/4540-84-0x00007FFE447A0000-0x00007FFE448D4000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

sessionmsg.exedxgiadaptercache.exeisoburn.exe

pid process

4868 sessionmsg.exe
4716 dxgiadaptercache.exe
4540 isoburn.exe
Loads dropped DLL 4 IoCs

Processes:

sessionmsg.exedxgiadaptercache.exeisoburn.exe

pid process

4868 sessionmsg.exe
4716 dxgiadaptercache.exe
4716 dxgiadaptercache.exe
4540 isoburn.exe

pid	process
4868	sessionmsg.exe
4716	dxgiadaptercache.exe
4540	isoburn.exe

pid	process
4868	sessionmsg.exe
4716	dxgiadaptercache.exe
4716	dxgiadaptercache.exe
4540	isoburn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsrvevdpr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\ZLfhbQ\\dxgiadaptercache.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesessionmsg.exedxgiadaptercache.exeisoburn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3408

pid	process
3408

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3408 wrote to memory of 4656	3408	sessionmsg.exe
PID 3408 wrote to memory of 4656	3408	sessionmsg.exe
PID 3408 wrote to memory of 4868	3408	sessionmsg.exe
PID 3408 wrote to memory of 4868	3408	sessionmsg.exe
PID 3408 wrote to memory of 3716	3408	dxgiadaptercache.exe
PID 3408 wrote to memory of 3716	3408	dxgiadaptercache.exe
PID 3408 wrote to memory of 4716	3408	dxgiadaptercache.exe
PID 3408 wrote to memory of 4716	3408	dxgiadaptercache.exe
PID 3408 wrote to memory of 2228	3408	isoburn.exe
PID 3408 wrote to memory of 2228	3408	isoburn.exe
PID 3408 wrote to memory of 4540	3408	isoburn.exe
PID 3408 wrote to memory of 4540	3408	isoburn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:4656

C:\Users\Admin\AppData\Local\nAYljZU20\sessionmsg.exe
C:\Users\Admin\AppData\Local\nAYljZU20\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4868

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:3716

C:\Users\Admin\AppData\Local\FSRpFNFGR\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\FSRpFNFGR\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4716

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:2228

C:\Users\Admin\AppData\Local\l2VIUw\isoburn.exe
C:\Users\Admin\AppData\Local\l2VIUw\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FSRpFNFGR\dxgi.dll

Filesize
1.2MB

MD5
66a396e7ca65676d32237de046800285

SHA1
c093b3d7dc460bdaa21309c82fba08af7cef2dcc

SHA256
53640e64c7d511fefa13ecc4ca80897b24cb598e22896622e67b83a100bb290f

SHA512
a77f60b0d09dc20a651e88c828a3b1197c561b39b9b8479eb92f7aa7d2b7c5ca2bb44cf93b3c635248772cc8db8f6d21ad346b00a2fa93161cfcb3337b1b2244

Download Submit
C:\Users\Admin\AppData\Local\FSRpFNFGR\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\l2VIUw\UxTheme.dll

Filesize
1.2MB

MD5
b8aca36de75b6a2225dd9c71450cc98a

SHA1
cde844a9b14419f122a552a9ca85fb843688b122

SHA256
a57f94375d3a1f11f6c50f51c1b1cf97104ed20dd43239db6892036a367d64bc

SHA512
f660e4df9fceccc96019e16a9ff164476b015c1ecdfaec38fa8e4186bd324456def624b57cd0ee6dd95592419b44e94e1d1493a457d1cb262efd05109b645118

Download Submit
C:\Users\Admin\AppData\Local\l2VIUw\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Local\nAYljZU20\DUser.dll

Filesize
1.2MB

MD5
501a9393130eebf40e80d97ef6657622

SHA1
698781e2a4eecbe3d97c94e6a2e3e207fc0a5ba4

SHA256
d832e5d14a9d819305e159576fc66532f38b5cc7111cab474a9a24d3190626c2

SHA512
8698e3f7d88696040c0c285bbc322aa8ad51e1aa3744dc43395ae6a95b5cd3127b8d16b0e8090f1819f203f4528e915f6796e759756350378b81296e9af2b67e

Download Submit
C:\Users\Admin\AppData\Local\nAYljZU20\sessionmsg.exe

Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk

Filesize
1KB

MD5
44f4cb2f7331b85406d261a2a9d346c4

SHA1
27755b519b0507c2e06ec54273b6876e8d4a2c6c

SHA256
0d84bdd7d207421f442d0e1fc9a794d87503233c6c8015dd1a7ac7473310fb2f

SHA512
616b405e84454407cbaee2b5667f5ab24697419f99efc6c413710074e07e4621620d966447fa407959f37b920d04c7b367a6b657913ee5ad80f6d748fa88c3e0

Download Submit
memory/2412-0-0x0000017FC7CC0000-0x0000017FC7CC7000-memory.dmp

Filesize
28KB

Download
memory/2412-2-0x00007FFE4E530000-0x00007FFE4E663000-memory.dmp

Filesize
1.2MB

Download
memory/2412-40-0x00007FFE4E530000-0x00007FFE4E663000-memory.dmp

Filesize
1.2MB

Download
memory/3408-9-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-18-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-16-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-15-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-14-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-13-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-12-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-10-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-27-0x00007FFE62060000-0x00007FFE62070000-memory.dmp

Filesize
64KB

Download
memory/3408-8-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-7-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-37-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-28-0x00007FFE62050000-0x00007FFE62060000-memory.dmp

Filesize
64KB

Download
memory/3408-26-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-25-0x0000000001150000-0x0000000001157000-memory.dmp

Filesize
28KB

Download
memory/3408-4-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/3408-3-0x00007FFE60B4A000-0x00007FFE60B4B000-memory.dmp

Filesize
4KB

Download
memory/3408-6-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-17-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3408-11-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/4540-84-0x00007FFE447A0000-0x00007FFE448D4000-memory.dmp

Filesize
1.2MB

Download
memory/4716-64-0x00007FFE447A0000-0x00007FFE448D4000-memory.dmp

Filesize
1.2MB

Download
memory/4716-66-0x0000027E30560000-0x0000027E30567000-memory.dmp

Filesize
28KB

Download
memory/4716-67-0x00007FFE447A0000-0x00007FFE448D4000-memory.dmp

Filesize
1.2MB

Download
memory/4868-52-0x00007FFE445F0000-0x00007FFE44725000-memory.dmp

Filesize
1.2MB

Download
memory/4868-48-0x00007FFE445F0000-0x00007FFE44725000-memory.dmp

Filesize
1.2MB

Download
memory/4868-47-0x000002258B430000-0x000002258B437000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads