dridex | 022313a6879b728319802186991b9397e351b4d9cb7ad36120172e81bc035d8e

General

Target

022313a6879b728319802186991b9397e351b4d9cb7ad36120172e81bc035d8e.dll
Size

692KB
MD5

a1e6e208002d96dc17583432e060abc7
SHA1

4fb85dcc732c7e3e33efe9b9b7a41e94afa4c113
SHA256

022313a6879b728319802186991b9397e351b4d9cb7ad36120172e81bc035d8e
SHA512

d73597eddce800228be18aafdcb03e9b4fb78e15efd00ba7f44a4e38c93ef6240c8e293543a621a223b7eaf074b3d8f74f5caaf68753a18a938acd5840cd608a
SSDEEP

12288:Kfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:MdAE81W381Wk8jnYz3dsPEb4s

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3492-4-0x0000000008280000-0x0000000008281000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/948-1-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/3492-24-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/3492-35-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/948-38-0x0000000140000000-0x00000001400AD000-memory.dmp	dridex_payload
behavioral2/memory/556-46-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/556-50-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload
behavioral2/memory/1432-61-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/1432-66-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_payload
behavioral2/memory/4196-81-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

sethc.exeWindowsActionDialog.exeDWWIN.EXE

pid process

556 sethc.exe
1432 WindowsActionDialog.exe
4196 DWWIN.EXE
Loads dropped DLL 3 IoCs

Processes:

sethc.exeWindowsActionDialog.exeDWWIN.EXE

pid process

556 sethc.exe
1432 WindowsActionDialog.exe
4196 DWWIN.EXE

pid	process
556	sethc.exe
1432	WindowsActionDialog.exe
4196	DWWIN.EXE

pid	process
556	sethc.exe
1432	WindowsActionDialog.exe
4196	DWWIN.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\agmTEF7dXmU\\WindowsActionDialog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WindowsActionDialog.exeDWWIN.EXErundll32.exesethc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008
Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3492
3492
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3492

pid	process
3492
3492

pid	process
3492

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3492 wrote to memory of 768	3492	sethc.exe
PID 3492 wrote to memory of 768	3492	sethc.exe
PID 3492 wrote to memory of 556	3492	sethc.exe
PID 3492 wrote to memory of 556	3492	sethc.exe
PID 3492 wrote to memory of 2316	3492	WindowsActionDialog.exe
PID 3492 wrote to memory of 2316	3492	WindowsActionDialog.exe
PID 3492 wrote to memory of 1432	3492	WindowsActionDialog.exe
PID 3492 wrote to memory of 1432	3492	WindowsActionDialog.exe
PID 3492 wrote to memory of 4340	3492	DWWIN.EXE
PID 3492 wrote to memory of 4340	3492	DWWIN.EXE
PID 3492 wrote to memory of 4196	3492	DWWIN.EXE
PID 3492 wrote to memory of 4196	3492	DWWIN.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\022313a6879b728319802186991b9397e351b4d9cb7ad36120172e81bc035d8e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:948

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:768

C:\Users\Admin\AppData\Local\mrgHC48qy\sethc.exe
C:\Users\Admin\AppData\Local\mrgHC48qy\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:556

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:2316

C:\Users\Admin\AppData\Local\d1y3Q\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\d1y3Q\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1432

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:4340

C:\Users\Admin\AppData\Local\edEVmK8W\DWWIN.EXE
C:\Users\Admin\AppData\Local\edEVmK8W\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\d1y3Q\DUI70.dll

Filesize
972KB

MD5
4de096d8b49f2bd6bbff32eb2659f353

SHA1
ed56fda0f228c8cefbb472588f4ff3dffa0cd1c8

SHA256
df3b94ee9d9ddc829ab6478744eded991bd6c9fece9fab0d5bf0fa20f396a937

SHA512
4d6dff9bf34286a1a6e208d63dab72e924ff6b115e0979552c3d1829b33ee160e118fdb6359133515e6a993452b2e02044b6b2c7b0d533102a82470d0e8b5272

Download Submit
C:\Users\Admin\AppData\Local\d1y3Q\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\edEVmK8W\DWWIN.EXE

Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\edEVmK8W\VERSION.dll

Filesize
696KB

MD5
cee25fb522d4d6ba5e28c8fd39646f49

SHA1
c911e78432517a6afa8e32c4838b5b1f89397f6c

SHA256
9f28092cff60af5f54833f9b5fa4214d5694e67352e01c4dde13359a18c05e35

SHA512
53caac1c2d8fb452afacc9e309ca559986a008530139fbc880ec2161439744737d49463f293c27ea054c9bbad091f869f5ce0b26b27e5c41cc4b63bf278eb648

Download Submit
C:\Users\Admin\AppData\Local\mrgHC48qy\UxTheme.dll

Filesize
696KB

MD5
e33908510df7a020dedfad2224230983

SHA1
7aec6dc8400c2673e5f4be9765de8be5b673827a

SHA256
fffea265a677926c35d2af8aecab88b3e459fa867bc67792a56d5b8e7a23e841

SHA512
350d3afb4cf2fc14d75a1eb2cf7b4cb2ed5e1905d528f9e95f5aa0e538a18c12660c2fc8c089e7c0ae758f73c4a022c9a7ba9a87d84ff3fbdd0b6b1c15220474

Download Submit
C:\Users\Admin\AppData\Local\mrgHC48qy\sethc.exe

Filesize
104KB

MD5
8ba3a9702a3f1799431cad6a290223a6

SHA1
9c7dc9b6830297c8f759d1f46c8b36664e26c031

SHA256
615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

SHA512
680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
c5f4e0338fcc4bf6a085b945f44d4c7b

SHA1
8fcebd213024316b59e3b1e99c089d1649f4e799

SHA256
f90d1d3cc96cbf85f613ea71193f4c5753bd0e81e8b7830d2ef570517f03a220

SHA512
578fd07a9a0233c9626ece85977bb0c1b0aaaf36cfbcbacb34d7e81f7fee8717d39c1c70b06f3e4b41095b8db7899e3aab458ad765d8b547b0405ae0d1ebe8d7

Download Submit
memory/556-46-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/556-50-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/556-45-0x0000021B53850000-0x0000021B53857000-memory.dmp

Filesize
28KB

Download
memory/948-1-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/948-38-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/948-2-0x000001CF6B980000-0x000001CF6B987000-memory.dmp

Filesize
28KB

Download
memory/1432-61-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1432-63-0x000001DDF17E0000-0x000001DDF17E7000-memory.dmp

Filesize
28KB

Download
memory/1432-66-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3492-13-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-25-0x00007FFB25980000-0x00007FFB25990000-memory.dmp

Filesize
64KB

Download
memory/3492-6-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-8-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-9-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-11-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-35-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-12-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-24-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-7-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-26-0x00007FFB25970000-0x00007FFB25980000-memory.dmp

Filesize
64KB

Download
memory/3492-15-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-23-0x0000000008210000-0x0000000008217000-memory.dmp

Filesize
28KB

Download
memory/3492-14-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-10-0x0000000140000000-0x00000001400AD000-memory.dmp

Filesize
692KB

Download
memory/3492-3-0x00007FFB2573A000-0x00007FFB2573B000-memory.dmp

Filesize
4KB

Download
memory/3492-4-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/4196-81-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads