dridex | b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4ab

General

Target

b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4abN.dll
Size

864KB
MD5

2c03fc6b7234c76ff6dbe5abd2825560
SHA1

407a3f86da295159b9cab2c43b255a25455ee14b
SHA256

b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4ab
SHA512

3807cc45b91e613805cb2b7763ec31fd96d961896112460c2196bce36a5207a8f567b41c97cc72bc5fd51461fc62cfc77a4f55f8062f41b45f0f8e4065e93acb
SSDEEP

12288:2kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:2kbHkWfzZ5adwLNGeStHntqN7v

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1232-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1448-0-0x000007FEF72D0000-0x000007FEF73A8000-memory.dmp	dridex_payload
behavioral1/memory/1232-21-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral1/memory/1232-29-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral1/memory/1232-40-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral1/memory/1232-42-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral1/memory/1448-49-0x000007FEF72D0000-0x000007FEF73A8000-memory.dmp	dridex_payload
behavioral1/memory/1732-58-0x000007FEF7210000-0x000007FEF72EA000-memory.dmp	dridex_payload
behavioral1/memory/1732-63-0x000007FEF7210000-0x000007FEF72EA000-memory.dmp	dridex_payload
behavioral1/memory/2232-75-0x000007FEF7280000-0x000007FEF7359000-memory.dmp	dridex_payload
behavioral1/memory/2232-80-0x000007FEF7280000-0x000007FEF7359000-memory.dmp	dridex_payload
behavioral1/memory/544-92-0x000007FEF7280000-0x000007FEF735A000-memory.dmp	dridex_payload
behavioral1/memory/544-97-0x000007FEF7280000-0x000007FEF735A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

xpsrchvw.exeNetplwiz.exemfpmp.exe

pid process

1732 xpsrchvw.exe
2232 Netplwiz.exe
544 mfpmp.exe
Loads dropped DLL 7 IoCs

Processes:

xpsrchvw.exeNetplwiz.exemfpmp.exe

pid process

1232
1732 xpsrchvw.exe
1232
2232 Netplwiz.exe
1232
544 mfpmp.exe
1232

pid	process
1732	xpsrchvw.exe
2232	Netplwiz.exe
544	mfpmp.exe

pid	process
1232
1732	xpsrchvw.exe
1232
2232	Netplwiz.exe
1232
544	mfpmp.exe
1232

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\iuccadQ\\Netplwiz.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exexpsrchvw.exeNetplwiz.exemfpmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1448	rundll32.exe
1448	rundll32.exe
1448	rundll32.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1232 wrote to memory of 3028	1232	xpsrchvw.exe
PID 1232 wrote to memory of 3028	1232	xpsrchvw.exe
PID 1232 wrote to memory of 3028	1232	xpsrchvw.exe
PID 1232 wrote to memory of 1732	1232	xpsrchvw.exe
PID 1232 wrote to memory of 1732	1232	xpsrchvw.exe
PID 1232 wrote to memory of 1732	1232	xpsrchvw.exe
PID 1232 wrote to memory of 2592	1232	Netplwiz.exe
PID 1232 wrote to memory of 2592	1232	Netplwiz.exe
PID 1232 wrote to memory of 2592	1232	Netplwiz.exe
PID 1232 wrote to memory of 2232	1232	Netplwiz.exe
PID 1232 wrote to memory of 2232	1232	Netplwiz.exe
PID 1232 wrote to memory of 2232	1232	Netplwiz.exe
PID 1232 wrote to memory of 1756	1232	mfpmp.exe
PID 1232 wrote to memory of 1756	1232	mfpmp.exe
PID 1232 wrote to memory of 1756	1232	mfpmp.exe
PID 1232 wrote to memory of 544	1232	mfpmp.exe
PID 1232 wrote to memory of 544	1232	mfpmp.exe
PID 1232 wrote to memory of 544	1232	mfpmp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4abN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:3028

C:\Users\Admin\AppData\Local\kQ3f5B1j\xpsrchvw.exe
C:\Users\Admin\AppData\Local\kQ3f5B1j\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1732

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2592

C:\Users\Admin\AppData\Local\5GnD\Netplwiz.exe
C:\Users\Admin\AppData\Local\5GnD\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2232

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1756

C:\Users\Admin\AppData\Local\CkLP\mfpmp.exe
C:\Users\Admin\AppData\Local\CkLP\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5GnD\NETPLWIZ.dll

Filesize
868KB

MD5
dbe816960405c23dc8166eedd4938109

SHA1
61016ca2214b3962512c8995c70e47980c5ffe64

SHA256
90c0a6c4974de413cc10314c696b0936adac15c6ead25164748a564b07122db7

SHA512
0af4c4e4bfc5768f97d1d8b0d29008380fcc1a8db8f19716e4713aa1f6f2d501729a2782a536701d55e0f2593e2e7f695f7ddec56c7d1e3b387f409f97493c8d

Download Submit
C:\Users\Admin\AppData\Local\CkLP\MFPlat.DLL

Filesize
872KB

MD5
13d7b96cf98c8e32d3ee75b89d7bb144

SHA1
26ad7554d3a9f3515201bb0e49397aea648e4d70

SHA256
290348ce2c9ae4f26fe04aae968faf6644414e17edfe49b341f8820989ee7415

SHA512
b5877d4a9b8321eb194255bda7b6d62e94a63698f80b00934f6672b375ddd2620739e2d3533302af8ef50640ff46af5daee1d48b54615b45d891b780068f9dca

Download Submit
C:\Users\Admin\AppData\Local\CkLP\mfpmp.exe

Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
C:\Users\Admin\AppData\Local\kQ3f5B1j\WINMM.dll

Filesize
872KB

MD5
f5eb65d1c826e832668f0c7028bf5004

SHA1
6108cb6c7b254463120c02808d3042b7e154040b

SHA256
7d8d1d9c44c679962c762c5bb56bd0180d616318a09bb5cca312da9b70a67a98

SHA512
f217dfe14a2554eee61dfef4105b55a759d1e1a5f1efa46711613e722517a5a544133ec805dfd80b2c490be14dfe04df0554729523a20912e6c09247eed48d3b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk

Filesize
1KB

MD5
ed50140303cadc542c409b8ff270245b

SHA1
77e45c3e21980e87560c19c9cf5f87f40ea804e3

SHA256
d5e00983af2642831d450bc8e6ddf32a7e375e5e2394e5c73e4b322618f7c1ef

SHA512
b487e6cb9338d79cc6c55f5fd3068f75aafbd2e52babdebb0b895bd184f5f09bcef60ff28f0bc35bd2f3db78529c6c8c1dfa7a63485172b29c67763995e89231

Download Submit
\Users\Admin\AppData\Local\5GnD\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\kQ3f5B1j\xpsrchvw.exe

Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
memory/544-97-0x000007FEF7280000-0x000007FEF735A000-memory.dmp

Filesize
872KB

Download
memory/544-94-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/544-92-0x000007FEF7280000-0x000007FEF735A000-memory.dmp

Filesize
872KB

Download
memory/1232-7-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-50-0x0000000076D66000-0x0000000076D67000-memory.dmp

Filesize
4KB

Download
memory/1232-6-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-21-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-28-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

Filesize
28KB

Download
memory/1232-20-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-19-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-18-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-17-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-16-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-29-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-15-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-30-0x00000000770D0000-0x00000000770D2000-memory.dmp

Filesize
8KB

Download
memory/1232-31-0x0000000077100000-0x0000000077102000-memory.dmp

Filesize
8KB

Download
memory/1232-40-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-42-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-3-0x0000000076D66000-0x0000000076D67000-memory.dmp

Filesize
4KB

Download
memory/1232-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/1232-8-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-14-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-10-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-12-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-11-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-9-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1232-13-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1448-0-0x000007FEF72D0000-0x000007FEF73A8000-memory.dmp

Filesize
864KB

Download
memory/1448-49-0x000007FEF72D0000-0x000007FEF73A8000-memory.dmp

Filesize
864KB

Download
memory/1448-2-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download
memory/1732-63-0x000007FEF7210000-0x000007FEF72EA000-memory.dmp

Filesize
872KB

Download
memory/1732-60-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1732-58-0x000007FEF7210000-0x000007FEF72EA000-memory.dmp

Filesize
872KB

Download
memory/2232-75-0x000007FEF7280000-0x000007FEF7359000-memory.dmp

Filesize
868KB

Download
memory/2232-77-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2232-80-0x000007FEF7280000-0x000007FEF7359000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads