dridex | 763faa1110a1eb2a98349030a58923a87b9df454427bc6272ba0921280a3ea3d

General

Target

763faa1110a1eb2a98349030a58923a87b9df454427bc6272ba0921280a3ea3d.dll
Size

668KB
MD5

a54ee66f23a531967e634c34d652250a
SHA1

4ffc272ecba8c3d7822c33e0e20ca079b2564d2c
SHA256

763faa1110a1eb2a98349030a58923a87b9df454427bc6272ba0921280a3ea3d
SHA512

2e168ae652c2cab389ead5403ed020d5abc4c66667b902c93c532aade88115746d70f1237fd83c69fafb4858aadf1596cba80fe058efb8c6f2684eb86a2dae19
SSDEEP

6144:m34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:mIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-5-0x0000000002D10000-0x0000000002D11000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2364-1-0x000007FEF6D70000-0x000007FEF6E17000-memory.dmp	dridex_payload
behavioral1/memory/1256-16-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1256-24-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1256-35-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1256-38-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/2364-44-0x000007FEF6D70000-0x000007FEF6E17000-memory.dmp	dridex_payload
behavioral1/memory/2732-54-0x000007FEF6E20000-0x000007FEF6EC8000-memory.dmp	dridex_payload
behavioral1/memory/2732-58-0x000007FEF6E20000-0x000007FEF6EC8000-memory.dmp	dridex_payload
behavioral1/memory/2640-71-0x000007FEF6790000-0x000007FEF6838000-memory.dmp	dridex_payload
behavioral1/memory/2640-74-0x000007FEF6790000-0x000007FEF6838000-memory.dmp	dridex_payload
behavioral1/memory/868-90-0x000007FEF6790000-0x000007FEF6838000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

p2phost.exemsdt.exefvenotify.exe

pid process

2732 p2phost.exe
2640 msdt.exe
868 fvenotify.exe
Loads dropped DLL 7 IoCs

Processes:

p2phost.exemsdt.exefvenotify.exe

pid process

1256
2732 p2phost.exe
1256
2640 msdt.exe
1256
868 fvenotify.exe
1256

pid	process
2732	p2phost.exe
2640	msdt.exe
868	fvenotify.exe

pid	process
1256
2732	p2phost.exe
1256
2640	msdt.exe
1256
868	fvenotify.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\YQ\\msdt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exep2phost.exemsdt.exefvenotify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exep2phost.exe

pid	process
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
2732	p2phost.exe
2732	p2phost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 2304	1256	p2phost.exe
PID 1256 wrote to memory of 2304	1256	p2phost.exe
PID 1256 wrote to memory of 2304	1256	p2phost.exe
PID 1256 wrote to memory of 2732	1256	p2phost.exe
PID 1256 wrote to memory of 2732	1256	p2phost.exe
PID 1256 wrote to memory of 2732	1256	p2phost.exe
PID 1256 wrote to memory of 2596	1256	msdt.exe
PID 1256 wrote to memory of 2596	1256	msdt.exe
PID 1256 wrote to memory of 2596	1256	msdt.exe
PID 1256 wrote to memory of 2640	1256	msdt.exe
PID 1256 wrote to memory of 2640	1256	msdt.exe
PID 1256 wrote to memory of 2640	1256	msdt.exe
PID 1256 wrote to memory of 2896	1256	fvenotify.exe
PID 1256 wrote to memory of 2896	1256	fvenotify.exe
PID 1256 wrote to memory of 2896	1256	fvenotify.exe
PID 1256 wrote to memory of 868	1256	fvenotify.exe
PID 1256 wrote to memory of 868	1256	fvenotify.exe
PID 1256 wrote to memory of 868	1256	fvenotify.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\763faa1110a1eb2a98349030a58923a87b9df454427bc6272ba0921280a3ea3d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2304

C:\Users\Admin\AppData\Local\oHyBAi\p2phost.exe
C:\Users\Admin\AppData\Local\oHyBAi\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:2596

C:\Users\Admin\AppData\Local\Yt15dxC\msdt.exe
C:\Users\Admin\AppData\Local\Yt15dxC\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:2896

C:\Users\Admin\AppData\Local\jG4Cgf\fvenotify.exe
C:\Users\Admin\AppData\Local\jG4Cgf\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Yt15dxC\msdt.exe

Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
C:\Users\Admin\AppData\Local\jG4Cgf\fvenotify.exe

Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\jG4Cgf\slc.dll

Filesize
672KB

MD5
024128ad453b9337e8cd434e056a7951

SHA1
8ee063add72e7bb407d45149accbd0e4fb29f235

SHA256
2ea39b3f61e179d2ba5013fa40c7fec28e81456c3c32c78dfbeeab2406cc5451

SHA512
b0a3cc2d874cfd51eb5b5ed555727f44f86e699e91ec5ff0b679f1d14fb1ab768e4709f60b5d5b7b619d94faa1cb31d8017278458a752240aafe4e65d897ddc4

Download Submit
C:\Users\Admin\AppData\Local\oHyBAi\P2P.dll

Filesize
672KB

MD5
37c98195b132c3cd77b09dd2e11ea032

SHA1
6af993121e248b1036eb018751d12bfa158f9fba

SHA256
000f06334f817bfd544426647599f1f019eb660e2a9c9a83354769e30101ba8b

SHA512
0a2969767afbf8347b5464f72c7a2556c467aced44a471f78d809995d9b0a43a7c2f4eb16c2fd685c5a8ccac24513571e87e6309a24d4b13ccb1dd9b714c9998

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
2a117fbc6502efe077897af7dafa0f1e

SHA1
3a60ccf09e7393e91bf7eb06c9d9dbe687da1fae

SHA256
18e697fcde77a0835ea3c279abaab47044864176203dde2f8b146d2876953204

SHA512
25700292c03651002c9cb067ad85436c933f728e38420e19773df4a47932fb10e2b4336e025489e99c8f26ba7868bf540fb5e9c536bea8facde3c5c1dbfb297d

Download Submit
\Users\Admin\AppData\Local\Yt15dxC\Secur32.dll

Filesize
672KB

MD5
fa391a04e06c44601aa42a94c540eae2

SHA1
369ee1933a960914880e3209f38dc294476e44bc

SHA256
70b01a527f89609e4e99a0a61f87e995c57c35a891913f21099a91ebb07f683d

SHA512
064b36e3df287bfb8cf10c054c309ba519f1793380a7a92af5344f0eca639a755ee25a0858953af18466b66d04788255ff641498733f90ae7a0574997f95d4fe

Download Submit
\Users\Admin\AppData\Local\oHyBAi\p2phost.exe

Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/868-90-0x000007FEF6790000-0x000007FEF6838000-memory.dmp

Filesize
672KB

Download
memory/1256-25-0x00000000777E0000-0x00000000777E2000-memory.dmp

Filesize
8KB

Download
memory/1256-15-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-13-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-12-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-11-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-9-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-7-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-6-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-24-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-26-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/1256-3-0x0000000077576000-0x0000000077577000-memory.dmp

Filesize
4KB

Download
memory/1256-35-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-38-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-5-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1256-45-0x0000000077576000-0x0000000077577000-memory.dmp

Filesize
4KB

Download
memory/1256-14-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-23-0x0000000002180000-0x0000000002187000-memory.dmp

Filesize
28KB

Download
memory/1256-8-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-10-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1256-16-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/2364-44-0x000007FEF6D70000-0x000007FEF6E17000-memory.dmp

Filesize
668KB

Download
memory/2364-0-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2364-1-0x000007FEF6D70000-0x000007FEF6E17000-memory.dmp

Filesize
668KB

Download
memory/2640-70-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2640-71-0x000007FEF6790000-0x000007FEF6838000-memory.dmp

Filesize
672KB

Download
memory/2640-74-0x000007FEF6790000-0x000007FEF6838000-memory.dmp

Filesize
672KB

Download
memory/2732-58-0x000007FEF6E20000-0x000007FEF6EC8000-memory.dmp

Filesize
672KB

Download
memory/2732-53-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2732-54-0x000007FEF6E20000-0x000007FEF6EC8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads