dridex | b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4ab

General

Target

b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4abN.dll
Size

864KB
MD5

2c03fc6b7234c76ff6dbe5abd2825560
SHA1

407a3f86da295159b9cab2c43b255a25455ee14b
SHA256

b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4ab
SHA512

3807cc45b91e613805cb2b7763ec31fd96d961896112460c2196bce36a5207a8f567b41c97cc72bc5fd51461fc62cfc77a4f55f8062f41b45f0f8e4065e93acb
SSDEEP

12288:2kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:2kbHkWfzZ5adwLNGeStHntqN7v

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3436-4-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3596-2-0x00007FF93E510000-0x00007FF93E5E8000-memory.dmp	dridex_payload
behavioral2/memory/3436-29-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral2/memory/3436-21-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral2/memory/3436-40-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral2/memory/3596-43-0x00007FF93E510000-0x00007FF93E5E8000-memory.dmp	dridex_payload
behavioral2/memory/3080-51-0x00007FF9302B0000-0x00007FF930389000-memory.dmp	dridex_payload
behavioral2/memory/3080-55-0x00007FF9302B0000-0x00007FF930389000-memory.dmp	dridex_payload
behavioral2/memory/2040-71-0x00007FF9302B0000-0x00007FF930389000-memory.dmp	dridex_payload
behavioral2/memory/2836-83-0x00007FF9301D0000-0x00007FF9302EE000-memory.dmp	dridex_payload
behavioral2/memory/2836-87-0x00007FF9301D0000-0x00007FF9302EE000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

wextract.exeApplySettingsTemplateCatalog.exebdeunlock.exe

pid process

3080 wextract.exe
2040 ApplySettingsTemplateCatalog.exe
2836 bdeunlock.exe
Loads dropped DLL 3 IoCs

Processes:

wextract.exeApplySettingsTemplateCatalog.exebdeunlock.exe

pid process

3080 wextract.exe
2040 ApplySettingsTemplateCatalog.exe
2836 bdeunlock.exe

pid	process
3080	wextract.exe
2040	ApplySettingsTemplateCatalog.exe
2836	bdeunlock.exe

pid	process
3080	wextract.exe
2040	ApplySettingsTemplateCatalog.exe
2836	bdeunlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzvdnevrdk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\354NFMc\\ApplySettingsTemplateCatalog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewextract.exeApplySettingsTemplateCatalog.exebdeunlock.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3596	rundll32.exe
3596	rundll32.exe
3596	rundll32.exe
3596	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3436

pid	process
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3436 wrote to memory of 3176	3436	wextract.exe
PID 3436 wrote to memory of 3176	3436	wextract.exe
PID 3436 wrote to memory of 3080	3436	wextract.exe
PID 3436 wrote to memory of 3080	3436	wextract.exe
PID 3436 wrote to memory of 2024	3436	ApplySettingsTemplateCatalog.exe
PID 3436 wrote to memory of 2024	3436	ApplySettingsTemplateCatalog.exe
PID 3436 wrote to memory of 2040	3436	ApplySettingsTemplateCatalog.exe
PID 3436 wrote to memory of 2040	3436	ApplySettingsTemplateCatalog.exe
PID 3436 wrote to memory of 4628	3436	bdeunlock.exe
PID 3436 wrote to memory of 4628	3436	bdeunlock.exe
PID 3436 wrote to memory of 2836	3436	bdeunlock.exe
PID 3436 wrote to memory of 2836	3436	bdeunlock.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4abN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:3176

C:\Users\Admin\AppData\Local\umUl\wextract.exe
C:\Users\Admin\AppData\Local\umUl\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3080

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:2024

C:\Users\Admin\AppData\Local\cUJt\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\cUJt\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2040

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:4628

C:\Users\Admin\AppData\Local\pr1oYet\bdeunlock.exe
C:\Users\Admin\AppData\Local\pr1oYet\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cUJt\ACTIVEDS.dll

Filesize
868KB

MD5
3a1fabb7c7e018a0e309a685d4cd8c27

SHA1
a6c44a4f3c9fbb2ed0dae0bd70bac26819c978e1

SHA256
a10dfb42de88a1b7c7dded6dffeb5833000a5a5db63e7a2bafc27e92e69ec82f

SHA512
8c515f6c490ceb431f90a059f440cdf4755a7afafdada31eef353a86c86dfa57f6bfa7118458b8479459f88ea81e4b1cd44c73b5feb8c9a9166b7c7a4f45629e

Download Submit
C:\Users\Admin\AppData\Local\cUJt\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Local\pr1oYet\DUI70.dll

Filesize
1.1MB

MD5
f58b4bba112ec39b96100f07d49ca43c

SHA1
fb86cfda58540f9064e6b27be45b78b94ad5b6f7

SHA256
b202487e6ccd57ed2c983dee8900d40343e2c6d11a5e8ed7fa7ecf2b9908a713

SHA512
5e52093d4742445a7b33baa83b7f2588dcbac9f24348a721d65542460f8a583a0d3d095c67e6e925e4279a4885832a8470e9ff5e0b0eab068b80d543b0e7adf2

Download Submit
C:\Users\Admin\AppData\Local\pr1oYet\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\umUl\VERSION.dll

Filesize
868KB

MD5
56fa63bea4f6630c4b6650103ce65a64

SHA1
04028b7252c3310c05f0c16b4b60ed8f7c9fb9a7

SHA256
75a4766ebd7869c5136312d30461c65c2f522fa765e01ae7646f77ed5ad997a7

SHA512
2f0c3eb63d2a4128aff2eea846a56b44fcb8250c179a88e7f72cc7b383c9558de951f2bcb01f98dddf4169f4d00164385c4f26e338202aa92b30ee077c254a37

Download Submit
C:\Users\Admin\AppData\Local\umUl\wextract.exe

Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk

Filesize
1KB

MD5
ac77eec01bd7b0596bbe8e565260dc94

SHA1
31cf2c43f0c25b2da6ef49302ea883229b734252

SHA256
1292bbfd02b89c522e9a9e6d073370dc3ff77a8e47d9a8c073deda11b3ad36f9

SHA512
c6c6c14fe17f9b9c27b4593dd809e3f074b737245066933cfc5babe9122e214acda02b165516686f1553b7169e7abb3b851bf5afb6862a646749ed1979fb7b8f

Download Submit
memory/2040-71-0x00007FF9302B0000-0x00007FF930389000-memory.dmp

Filesize
868KB

Download
memory/2040-66-0x000001A4BE170000-0x000001A4BE177000-memory.dmp

Filesize
28KB

Download
memory/2836-82-0x00000133E6910000-0x00000133E6917000-memory.dmp

Filesize
28KB

Download
memory/2836-83-0x00007FF9301D0000-0x00007FF9302EE000-memory.dmp

Filesize
1.1MB

Download
memory/2836-87-0x00007FF9301D0000-0x00007FF9302EE000-memory.dmp

Filesize
1.1MB

Download
memory/3080-55-0x00007FF9302B0000-0x00007FF930389000-memory.dmp

Filesize
868KB

Download
memory/3080-51-0x00007FF9302B0000-0x00007FF930389000-memory.dmp

Filesize
868KB

Download
memory/3080-50-0x000001CE19B20000-0x000001CE19B27000-memory.dmp

Filesize
28KB

Download
memory/3436-17-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-14-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-8-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-13-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-9-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-7-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-6-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-31-0x00007FF94D9D0000-0x00007FF94D9E0000-memory.dmp

Filesize
64KB

Download
memory/3436-30-0x00007FF94D9E0000-0x00007FF94D9F0000-memory.dmp

Filesize
64KB

Download
memory/3436-40-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-3-0x00007FF94BECA000-0x00007FF94BECB000-memory.dmp

Filesize
4KB

Download
memory/3436-11-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-12-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-10-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-15-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-16-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/3436-19-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-21-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-29-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-28-0x00000000007D0000-0x00000000007D7000-memory.dmp

Filesize
28KB

Download
memory/3436-20-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3436-18-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3596-0-0x000001DAADA60000-0x000001DAADA67000-memory.dmp

Filesize
28KB

Download
memory/3596-43-0x00007FF93E510000-0x00007FF93E5E8000-memory.dmp

Filesize
864KB

Download
memory/3596-2-0x00007FF93E510000-0x00007FF93E5E8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads