dridex | c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e

General

Target

c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e.dll
Size

672KB
MD5

d7b6390737e5cbc33070d66723208014
SHA1

d8706c8648e39289dabead6db0f9d5094048bcd7
SHA256

c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e
SHA512

b168072d2f1c92383f9336484b3cf1595eeba37602718b0a295d1fbacc6255967bacd9fff2090e48570086a104b8f94bf637c2a32ab84a87feef0ede9fa6fa0c
SSDEEP

6144:K34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:KIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3540-3-0x00000000088C0000-0x00000000088C1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4912-0-0x00007FF8F1D90000-0x00007FF8F1E38000-memory.dmp	dridex_payload
behavioral2/memory/3540-15-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3540-24-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3540-35-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/4912-38-0x00007FF8F1D90000-0x00007FF8F1E38000-memory.dmp	dridex_payload
behavioral2/memory/4564-46-0x00007FF8E2160000-0x00007FF8E220A000-memory.dmp	dridex_payload
behavioral2/memory/4564-50-0x00007FF8E2160000-0x00007FF8E220A000-memory.dmp	dridex_payload
behavioral2/memory/2032-62-0x00007FF8E1AC0000-0x00007FF8E1B69000-memory.dmp	dridex_payload
behavioral2/memory/2032-66-0x00007FF8E1AC0000-0x00007FF8E1B69000-memory.dmp	dridex_payload
behavioral2/memory/3744-77-0x00007FF8E2160000-0x00007FF8E2209000-memory.dmp	dridex_payload
behavioral2/memory/3744-81-0x00007FF8E2160000-0x00007FF8E2209000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rdpinput.exeosk.exeslui.exe

pid process

4564 rdpinput.exe
2032 osk.exe
3744 slui.exe
Loads dropped DLL 3 IoCs

Processes:

rdpinput.exeosk.exeslui.exe

pid process

4564 rdpinput.exe
2032 osk.exe
3744 slui.exe

pid	process
4564	rdpinput.exe
2032	osk.exe
3744	slui.exe

pid	process
4564	rdpinput.exe
2032	osk.exe
3744	slui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\gJWx1uyZzY\\osk.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinput.exeosk.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4912	rundll32.exe
4912	rundll32.exe
4912	rundll32.exe
4912	rundll32.exe
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3540
3540
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3540

pid	process
3540
3540

pid	process
3540

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3540 wrote to memory of 1728	3540	rdpinput.exe
PID 3540 wrote to memory of 1728	3540	rdpinput.exe
PID 3540 wrote to memory of 4564	3540	rdpinput.exe
PID 3540 wrote to memory of 4564	3540	rdpinput.exe
PID 3540 wrote to memory of 1688	3540	osk.exe
PID 3540 wrote to memory of 1688	3540	osk.exe
PID 3540 wrote to memory of 2032	3540	osk.exe
PID 3540 wrote to memory of 2032	3540	osk.exe
PID 3540 wrote to memory of 224	3540	slui.exe
PID 3540 wrote to memory of 224	3540	slui.exe
PID 3540 wrote to memory of 3744	3540	slui.exe
PID 3540 wrote to memory of 3744	3540	slui.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:1728

C:\Users\Admin\AppData\Local\hgI4eMM\rdpinput.exe
C:\Users\Admin\AppData\Local\hgI4eMM\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4564

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:1688

C:\Users\Admin\AppData\Local\k5xkp50U1\osk.exe
C:\Users\Admin\AppData\Local\k5xkp50U1\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2032

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:224

C:\Users\Admin\AppData\Local\LaC87fc\slui.exe
C:\Users\Admin\AppData\Local\LaC87fc\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LaC87fc\SLC.dll

Filesize
676KB

MD5
39f02e530573166ed2e93a0fa14c9df2

SHA1
8b4df122c02b20937b090ad0cce85895ea662298

SHA256
92d2f09912b1e101a8d1307bf886a952ed780d0b7135ac4107da33d4479878ad

SHA512
78d5471cfc709d942377c72e4395f58951c3fac7afb80399c60daec5947801da731d0c33b8cc296b87e4f599780cebf121d4f66c5fbb6cbb065a50cc4853aca1

Download Submit
C:\Users\Admin\AppData\Local\LaC87fc\slui.exe

Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Local\hgI4eMM\WINSTA.dll

Filesize
680KB

MD5
d98dbc9913e93df62870cf7f9cda4d5e

SHA1
ed2260b5626b45ffeef349ba55fe0ecd7effc645

SHA256
46f22cc9ef84497cfdb0dbb2b3b951fe72cba9ce70e50377e9b90f39f65001f8

SHA512
a02e559c139bc552c6a2967cdcbbcc628ae80cd1dcada6611c95e8abd5d9fa59cd22833962c62e589a425094f44f3df06ac875373fdba1be9dbdc182bd1ba21d

Download Submit
C:\Users\Admin\AppData\Local\hgI4eMM\rdpinput.exe

Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Local\k5xkp50U1\OLEACC.dll

Filesize
676KB

MD5
4be3be79f153d9a568ea76865dd13a3c

SHA1
905b58cb5d52b2c03c5b745c03e2dd0f5678583f

SHA256
eb52385faa0bae3dbb46732ab28add4302933c635dfbd5a52ef2473e0e43f5be

SHA512
c1d3c90089188026ebb68ce57270b4ba49af74505448bd2de9b02166445d12cdc947eeed76e6589d0e3021ec278d15f319e5982dcf1b1d8deceb23fb7480a668

Download Submit
C:\Users\Admin\AppData\Local\k5xkp50U1\osk.exe

Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

Filesize
1KB

MD5
21ef0c0d01a3cca37ce893e47094b23b

SHA1
5c911bc45d5200ea0df4af0676ef78702024aad6

SHA256
b6f9521111b95f1890031569ea514a7d036f126de23c6c90b22368547d4fde36

SHA512
4928264e2ae52e4667937b151d5839d511274f5361d62ca5d32c190d5454e86680d36ec954a4a12c8e8a3901e1da272f4732985c83e23f605dbf3a454b23f3fc

Download Submit
memory/2032-66-0x00007FF8E1AC0000-0x00007FF8E1B69000-memory.dmp

Filesize
676KB

Download
memory/2032-62-0x00007FF8E1AC0000-0x00007FF8E1B69000-memory.dmp

Filesize
676KB

Download
memory/2032-61-0x000002D893810000-0x000002D893817000-memory.dmp

Filesize
28KB

Download
memory/3540-25-0x00007FF900C40000-0x00007FF900C50000-memory.dmp

Filesize
64KB

Download
memory/3540-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-3-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/3540-5-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-22-0x00007FF8FFECA000-0x00007FF8FFECB000-memory.dmp

Filesize
4KB

Download
memory/3540-23-0x00000000088A0000-0x00000000088A7000-memory.dmp

Filesize
28KB

Download
memory/3540-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-24-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-35-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3540-26-0x00007FF900C30000-0x00007FF900C40000-memory.dmp

Filesize
64KB

Download
memory/3744-77-0x00007FF8E2160000-0x00007FF8E2209000-memory.dmp

Filesize
676KB

Download
memory/3744-81-0x00007FF8E2160000-0x00007FF8E2209000-memory.dmp

Filesize
676KB

Download
memory/4564-50-0x00007FF8E2160000-0x00007FF8E220A000-memory.dmp

Filesize
680KB

Download
memory/4564-46-0x00007FF8E2160000-0x00007FF8E220A000-memory.dmp

Filesize
680KB

Download
memory/4564-45-0x000001DEAA090000-0x000001DEAA097000-memory.dmp

Filesize
28KB

Download
memory/4912-0-0x00007FF8F1D90000-0x00007FF8F1E38000-memory.dmp

Filesize
672KB

Download
memory/4912-38-0x00007FF8F1D90000-0x00007FF8F1E38000-memory.dmp

Filesize
672KB

Download
memory/4912-2-0x0000018A827E0000-0x0000018A827E7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads