dridex | 2e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e

General

Target

2e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e.dll
Size

664KB
MD5

85ba6340c836fdcd7efc7fbc78d60817
SHA1

53e49b348a3ff1db4a5b59f34165f3ca6c1cbe4f
SHA256

2e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e
SHA512

c4249b7c390a382aeddc94c1b3e3f445517c2c5962ae8d1bebc837f30e2b2a9997c758c4f892be4c55eea757c31e4ba58baf9d336dda8b74ef2de8f263ca3a67
SSDEEP

6144:P34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:PIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3416-3-0x0000000002B80000-0x0000000002B81000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2900-0-0x00007FFC86B30000-0x00007FFC86BD6000-memory.dmp	dridex_payload
behavioral2/memory/3416-15-0x0000000140000000-0x00000001400A6000-memory.dmp	dridex_payload
behavioral2/memory/3416-34-0x0000000140000000-0x00000001400A6000-memory.dmp	dridex_payload
behavioral2/memory/3416-22-0x0000000140000000-0x00000001400A6000-memory.dmp	dridex_payload
behavioral2/memory/2900-37-0x00007FFC86B30000-0x00007FFC86BD6000-memory.dmp	dridex_payload
behavioral2/memory/2452-44-0x00007FFC86130000-0x00007FFC861D7000-memory.dmp	dridex_payload
behavioral2/memory/2452-49-0x00007FFC86130000-0x00007FFC861D7000-memory.dmp	dridex_payload
behavioral2/memory/1604-65-0x00007FFC86130000-0x00007FFC861D7000-memory.dmp	dridex_payload
behavioral2/memory/3400-80-0x00007FFC86130000-0x00007FFC861D7000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesHardware.exeCustomShellHost.exequickassist.exe

pid process

2452 SystemPropertiesHardware.exe
1604 CustomShellHost.exe
3400 quickassist.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesHardware.exeCustomShellHost.exequickassist.exe

pid process

2452 SystemPropertiesHardware.exe
1604 CustomShellHost.exe
3400 quickassist.exe

pid	process
2452	SystemPropertiesHardware.exe
1604	CustomShellHost.exe
3400	quickassist.exe

pid	process
2452	SystemPropertiesHardware.exe
1604	CustomShellHost.exe
3400	quickassist.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\K3\\CustomShellHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesHardware.exeCustomShellHost.exequickassist.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	quickassist.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2900	rundll32.exe
2900	rundll32.exe
2900	rundll32.exe
2900	rundll32.exe
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416
3416

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3416
3416
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3416

pid	process
3416
3416

pid	process
3416

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3416 wrote to memory of 2504	3416	SystemPropertiesHardware.exe
PID 3416 wrote to memory of 2504	3416	SystemPropertiesHardware.exe
PID 3416 wrote to memory of 2452	3416	SystemPropertiesHardware.exe
PID 3416 wrote to memory of 2452	3416	SystemPropertiesHardware.exe
PID 3416 wrote to memory of 3832	3416	CustomShellHost.exe
PID 3416 wrote to memory of 3832	3416	CustomShellHost.exe
PID 3416 wrote to memory of 1604	3416	CustomShellHost.exe
PID 3416 wrote to memory of 1604	3416	CustomShellHost.exe
PID 3416 wrote to memory of 5004	3416	quickassist.exe
PID 3416 wrote to memory of 5004	3416	quickassist.exe
PID 3416 wrote to memory of 3400	3416	quickassist.exe
PID 3416 wrote to memory of 3400	3416	quickassist.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2900

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:2504

C:\Users\Admin\AppData\Local\sbYX4UvM\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\sbYX4UvM\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2452

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:3832

C:\Users\Admin\AppData\Local\AY2IlI\CustomShellHost.exe
C:\Users\Admin\AppData\Local\AY2IlI\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1604

C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
1⤵
PID:5004

C:\Users\Admin\AppData\Local\Fax\quickassist.exe
C:\Users\Admin\AppData\Local\Fax\quickassist.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AY2IlI\CustomShellHost.exe

Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\AY2IlI\WTSAPI32.dll

Filesize
668KB

MD5
95efdf84a72a0cd7e3682477d32ca63a

SHA1
0b142a664878f2261def8d0537ba2cc116720885

SHA256
6d8749dcb99fab66ed70a3b33051ac38a7c1137884a50bd503f77596ba591761

SHA512
9d54cefeeb50e123d05c84f740ab2b66e21bc755f03c4bcfa0dd1d0d6f8509e10e2f9de65d1d95546a8d6d9194a5350ed763b5c0c14b5e703d18f7c3a00afe66

Download Submit
C:\Users\Admin\AppData\Local\Fax\UxTheme.dll

Filesize
668KB

MD5
f98836ddf74ae5f93df49214f6773d1d

SHA1
7871a377e081c52c8c1f0582ff82e09f3265a32d

SHA256
b7de519adacae5eeff6b4971c692e146a1fa02341f4a21deb317e6709775f4f3

SHA512
b5f80bc6304aa2f1fcc67734addf48be4d6ee943f9666095ac1405cdc2251b414d3ee5a7bda3f36c060c75ac682ca1cf6df183e01bef5f063d6719f97b6d8d9d

Download Submit
C:\Users\Admin\AppData\Local\Fax\quickassist.exe

Filesize
665KB

MD5
d1216f9b9a64fd943539cc2b0ddfa439

SHA1
6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

SHA256
c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

SHA512
c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

Download Submit
C:\Users\Admin\AppData\Local\sbYX4UvM\SYSDM.CPL

Filesize
668KB

MD5
7ea6e80e61db284a92973e3ee348fb01

SHA1
b0fc8ecc4613063112ad75bc74f9ecd290e5128c

SHA256
4ac969201bdf95d05fe0fe0d9febf48a238fab177ea814ee99574987a05af1dd

SHA512
9ec81935f2b03734b7dcd457b5550a1e183f1609d57851ce80feb9315b7f25057195016c72d9db43f9d4449403532ab0422a701b2aa8a210879d3b1abb08ffb5

Download Submit
C:\Users\Admin\AppData\Local\sbYX4UvM\SystemPropertiesHardware.exe

Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
6297faaa7e191140061e25e2c69fa064

SHA1
0e267f1215c13e09819b8ecdb7a2fb7f8196b3fb

SHA256
9385421a9a7d2a62d6a3dc01e73a1dbb6da50812981e52d7deaba91a5d05598f

SHA512
264fbf495a73719719fa061202cfc410e32cabccfe277ba43b7e86423fba025df97b02d2719a9be7f66cf64a17aef86044927835c7e4147260106ba027e56d75

Download Submit
memory/1604-65-0x00007FFC86130000-0x00007FFC861D7000-memory.dmp

Filesize
668KB

Download
memory/1604-60-0x0000023B45DA0000-0x0000023B45DA7000-memory.dmp

Filesize
28KB

Download
memory/2452-44-0x00007FFC86130000-0x00007FFC861D7000-memory.dmp

Filesize
668KB

Download
memory/2452-49-0x00007FFC86130000-0x00007FFC861D7000-memory.dmp

Filesize
668KB

Download
memory/2452-46-0x00000244EE7C0000-0x00000244EE7C7000-memory.dmp

Filesize
28KB

Download
memory/2900-2-0x000001DC2D920000-0x000001DC2D927000-memory.dmp

Filesize
28KB

Download
memory/2900-37-0x00007FFC86B30000-0x00007FFC86BD6000-memory.dmp

Filesize
664KB

Download
memory/2900-0-0x00007FFC86B30000-0x00007FFC86BD6000-memory.dmp

Filesize
664KB

Download
memory/3400-80-0x00007FFC86130000-0x00007FFC861D7000-memory.dmp

Filesize
668KB

Download
memory/3416-13-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-25-0x00007FFC94C10000-0x00007FFC94C20000-memory.dmp

Filesize
64KB

Download
memory/3416-6-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-8-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-10-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-22-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-23-0x0000000002FB0000-0x0000000002FB7000-memory.dmp

Filesize
28KB

Download
memory/3416-34-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-24-0x00007FFC94C20000-0x00007FFC94C30000-memory.dmp

Filesize
64KB

Download
memory/3416-7-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-11-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-14-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-15-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-9-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-12-0x0000000140000000-0x00000001400A6000-memory.dmp

Filesize
664KB

Download
memory/3416-5-0x00007FFC935DA000-0x00007FFC935DB000-memory.dmp

Filesize
4KB

Download
memory/3416-3-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads