dridex | f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8

General

Target

f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8.dll
Size

677KB
MD5

155d603dd9fd58ebe24a854d6597e345
SHA1

3c43fdaa5916faf0aa144f918e71620b66b4c3d3
SHA256

f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8
SHA512

e0b43c7a69318b198b63e821bf0543bfbb4e414c8084ee1b6b3aa4bbd0f3c8ee52723ab0496308bbba8411b2ac361c42b3c110c95165367e187b25e94f1148e3
SSDEEP

12288:bMotqoDpGg+O0HCmTkLK+qIRl+lC0fVtN86WCjt:IotMg+OsCoiK+9l+lhTTWC

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-4-0x0000000003060000-0x0000000003061000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2664-1-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1184-28-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1184-39-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/1184-40-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/2664-48-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_payload
behavioral1/memory/2384-57-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/2384-62-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/1692-82-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/2900-99-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rdrleakdiag.exeVaultSysUi.exeosk.exe

pid process

2384 rdrleakdiag.exe
1692 VaultSysUi.exe
2900 osk.exe
Loads dropped DLL 8 IoCs

Processes:

rdrleakdiag.exeVaultSysUi.exeosk.exe

pid process

1184
2384 rdrleakdiag.exe
1184
1184
1692 VaultSysUi.exe
1184
2900 osk.exe
1184

pid	process
2384	rdrleakdiag.exe
1692	VaultSysUi.exe
2900	osk.exe

pid	process
1184
2384	rdrleakdiag.exe
1184
1184
1692	VaultSysUi.exe
1184
2900	osk.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dnfwvyvycst = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\H9\\VaultSysUi.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

osk.exerundll32.exerdrleakdiag.exeVaultSysUi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerdrleakdiag.exe

pid	process
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
2384	rdrleakdiag.exe
2384	rdrleakdiag.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1184 wrote to memory of 2080	1184	rdrleakdiag.exe
PID 1184 wrote to memory of 2080	1184	rdrleakdiag.exe
PID 1184 wrote to memory of 2080	1184	rdrleakdiag.exe
PID 1184 wrote to memory of 2384	1184	rdrleakdiag.exe
PID 1184 wrote to memory of 2384	1184	rdrleakdiag.exe
PID 1184 wrote to memory of 2384	1184	rdrleakdiag.exe
PID 1184 wrote to memory of 2400	1184	VaultSysUi.exe
PID 1184 wrote to memory of 2400	1184	VaultSysUi.exe
PID 1184 wrote to memory of 2400	1184	VaultSysUi.exe
PID 1184 wrote to memory of 1692	1184	VaultSysUi.exe
PID 1184 wrote to memory of 1692	1184	VaultSysUi.exe
PID 1184 wrote to memory of 1692	1184	VaultSysUi.exe
PID 1184 wrote to memory of 340	1184	osk.exe
PID 1184 wrote to memory of 340	1184	osk.exe
PID 1184 wrote to memory of 340	1184	osk.exe
PID 1184 wrote to memory of 2900	1184	osk.exe
PID 1184 wrote to memory of 2900	1184	osk.exe
PID 1184 wrote to memory of 2900	1184	osk.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:2080

C:\Users\Admin\AppData\Local\rAInM\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\rAInM\rdrleakdiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:2400

C:\Users\Admin\AppData\Local\31etd66\VaultSysUi.exe
C:\Users\Admin\AppData\Local\31etd66\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1692

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:340

C:\Users\Admin\AppData\Local\X3PAy1DtG\osk.exe
C:\Users\Admin\AppData\Local\X3PAy1DtG\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\31etd66\credui.dll

Filesize
679KB

MD5
a5568326281e56a6968831df510a75e5

SHA1
e3c1bd89d3cffab003a5f62e0983bfa21fc9c77d

SHA256
ccd51a8a1685003a177fff6e424f93ef0615ddb4e58f77116cb71ef3ff483b0f

SHA512
b68b88164e3e463036af9b2da2ef29ade787801be50a5a853b22475b358e79fbd1624fb9a6ffc7089527944828dcdf9b8e97e19e45939e0fd7aadc1d336bd5e0

Download Submit
C:\Users\Admin\AppData\Local\X3PAy1DtG\MSSWCH.dll

Filesize
678KB

MD5
cb8e79d2e1804451c61325ac842f45b5

SHA1
60286a183fd4c3ed1eb60c77220a99797fa0d3ed

SHA256
3245f93b53fef9182f3638f24d0b61db03b8f559527f48cc77a427e99c839b87

SHA512
a03334e686227a39d65e418797a7e0b0b0456e6ba208e9accdada64ac2c4ffda0914ae17e35f02b739b57af26dc5964a9452546c3896fcd9beb4a6c363fd6163

Download Submit
C:\Users\Admin\AppData\Local\rAInM\wer.dll

Filesize
680KB

MD5
4bc51fdcbc095c9d743a9dc8fb807a71

SHA1
8f068fd052ce66f8d97f7629cf04da65d29b9205

SHA256
16ee9c6a6778372b5c2a096e7d6320d0f01d76bc7e4ac22c5f5d8cb4b3e8a089

SHA512
7351a6d532dca3ce87cc86eed4488c4b7672d415e5a9879811693e773c80424c743f51ea2ef0eb679cce4a812726bb36d1f74767a517f9ab3ba85225d37e7803

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk

Filesize
1KB

MD5
d18642b492f3e23ea8d6023f007bca4d

SHA1
deb456d9e1cd7d57b334981532b0f21c01abd915

SHA256
76782b3bb9b7c28659421396261a73f779bdd76ed4dc2a0c574d315b05d4114b

SHA512
2184dfce1354528316515206a9805d4a971d9d9868378a0c4d286752bf6fbd9dcd15cb1dbf0de041e6a4df9eba7d414c6436379ed282c6bed370a309f7515b4a

Download Submit
\Users\Admin\AppData\Local\31etd66\VaultSysUi.exe

Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\X3PAy1DtG\osk.exe

Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\rAInM\rdrleakdiag.exe

Filesize
39KB

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
memory/1184-28-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-40-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-14-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-13-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-12-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-11-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-10-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-9-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-8-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-7-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-6-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-3-0x0000000077866000-0x0000000077867000-memory.dmp

Filesize
4KB

Download
memory/1184-30-0x0000000077B00000-0x0000000077B02000-memory.dmp

Filesize
8KB

Download
memory/1184-29-0x0000000077971000-0x0000000077972000-memory.dmp

Filesize
4KB

Download
memory/1184-39-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-15-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-4-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/1184-49-0x0000000077866000-0x0000000077867000-memory.dmp

Filesize
4KB

Download
memory/1184-16-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-23-0x0000000002F60000-0x0000000002F67000-memory.dmp

Filesize
28KB

Download
memory/1184-18-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1184-17-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1692-77-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1692-82-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2384-59-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2384-62-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2384-57-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2664-48-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2664-1-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/2664-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2900-96-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2900-99-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads