dridex | c6bbb76d18634295f6f1d11741f32dd2661592bfdc63904b8fff93c88ae7297a

General

Target

c6bbb76d18634295f6f1d11741f32dd2661592bfdc63904b8fff93c88ae7297a.dll
Size

668KB
MD5

2b74d0db8f4ef0ccf074936ddbcb69e9
SHA1

85ca042ed32308e0ae1666f87808947ec70832e3
SHA256

c6bbb76d18634295f6f1d11741f32dd2661592bfdc63904b8fff93c88ae7297a
SHA512

338f8f7435f69688cabf59cba525e7678ff5b472ff428ff91dc96362baf489eeac0616cf933883ca669df267f46e1c7743004da18c41eaf1b78e187a9e924a40
SSDEEP

6144:S34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT6:SIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-4-0x0000000002DF0000-0x0000000002DF1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1972-0-0x000007FEF67E0000-0x000007FEF6887000-memory.dmp	dridex_payload
behavioral1/memory/1212-16-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1212-24-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1212-35-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1212-36-0x0000000140000000-0x00000001400A7000-memory.dmp	dridex_payload
behavioral1/memory/1972-44-0x000007FEF67E0000-0x000007FEF6887000-memory.dmp	dridex_payload
behavioral1/memory/2864-53-0x000007FEF6890000-0x000007FEF6938000-memory.dmp	dridex_payload
behavioral1/memory/2864-58-0x000007FEF6890000-0x000007FEF6938000-memory.dmp	dridex_payload
behavioral1/memory/2600-70-0x000007FEF6270000-0x000007FEF6318000-memory.dmp	dridex_payload
behavioral1/memory/2600-75-0x000007FEF6270000-0x000007FEF6318000-memory.dmp	dridex_payload
behavioral1/memory/2824-87-0x000007FEF6270000-0x000007FEF631E000-memory.dmp	dridex_payload
behavioral1/memory/2824-91-0x000007FEF6270000-0x000007FEF631E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

ddodiag.exejavaws.exemsconfig.exe

pid process

2864 ddodiag.exe
2600 javaws.exe
2824 msconfig.exe
Loads dropped DLL 7 IoCs

Processes:

ddodiag.exejavaws.exemsconfig.exe

pid process

1212
2864 ddodiag.exe
1212
2600 javaws.exe
1212
2824 msconfig.exe
1212

pid	process
2864	ddodiag.exe
2600	javaws.exe
2824	msconfig.exe

pid	process
1212
2864	ddodiag.exe
1212
2600	javaws.exe
1212
2824	msconfig.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\7RR5DJ~1\\javaws.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeddodiag.exejavaws.exemsconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeddodiag.exe

pid	process
1972	rundll32.exe
1972	rundll32.exe
1972	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
2864	ddodiag.exe
2864	ddodiag.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 2400	1212	ddodiag.exe
PID 1212 wrote to memory of 2400	1212	ddodiag.exe
PID 1212 wrote to memory of 2400	1212	ddodiag.exe
PID 1212 wrote to memory of 2864	1212	ddodiag.exe
PID 1212 wrote to memory of 2864	1212	ddodiag.exe
PID 1212 wrote to memory of 2864	1212	ddodiag.exe
PID 1212 wrote to memory of 2564	1212	javaws.exe
PID 1212 wrote to memory of 2564	1212	javaws.exe
PID 1212 wrote to memory of 2564	1212	javaws.exe
PID 1212 wrote to memory of 2600	1212	javaws.exe
PID 1212 wrote to memory of 2600	1212	javaws.exe
PID 1212 wrote to memory of 2600	1212	javaws.exe
PID 1212 wrote to memory of 788	1212	msconfig.exe
PID 1212 wrote to memory of 788	1212	msconfig.exe
PID 1212 wrote to memory of 788	1212	msconfig.exe
PID 1212 wrote to memory of 2824	1212	msconfig.exe
PID 1212 wrote to memory of 2824	1212	msconfig.exe
PID 1212 wrote to memory of 2824	1212	msconfig.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6bbb76d18634295f6f1d11741f32dd2661592bfdc63904b8fff93c88ae7297a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:2400

C:\Users\Admin\AppData\Local\BsIIsIQG\ddodiag.exe
C:\Users\Admin\AppData\Local\BsIIsIQG\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:2564

C:\Users\Admin\AppData\Local\Yfs\javaws.exe
C:\Users\Admin\AppData\Local\Yfs\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2600

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:788

C:\Users\Admin\AppData\Local\jGOO2mcx\msconfig.exe
C:\Users\Admin\AppData\Local\jGOO2mcx\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BsIIsIQG\XmlLite.dll

Filesize
672KB

MD5
532acfe11fab77085524799188190224

SHA1
4dfb61e8e11bc9e48bb4bc2a7a0788ae54c7fe68

SHA256
3c138767024df5a2d87c7ab76a039bb849d4efab96018bef70ad36761ee1e095

SHA512
cd88306ca147b01094b2a8706582fb25712a196b615f2ab090e6b94f676dfe9a9a0f66506a5d7144d118b891b966eaf1d85fbf80539d56a6d7c6e45b730420b1

Download Submit
C:\Users\Admin\AppData\Local\Yfs\VERSION.dll

Filesize
672KB

MD5
196dddd4b68d2c6f2942602021c4f7a3

SHA1
58ced5f640f8ff12f5d8e2c544da02903a8b55d4

SHA256
d240178b151ee7903e69489ab2379556dcc313a63da03fb3147cf38b4075c644

SHA512
3a348d8529f667448e75acb2890de9448b9361f441d4c33d199e793fa0a853db6379cad0f79e6a38f3babe902dc4bd6c736e01f7f38896810f33fe0347f381e8

Download Submit
C:\Users\Admin\AppData\Local\jGOO2mcx\MFC42u.dll

Filesize
696KB

MD5
8668e173e545be40be44a5bef6401539

SHA1
e43cd195cf016927aa081bee4c8f8f4c1a616406

SHA256
2a69a5e1842f218bd0cc010fe5dcef3bc719c5fece10b98e1668f909ec1c81c1

SHA512
15c24a7ac976389c8b02ad9edb9e359b102d2d06d5b1df7f3f2066f5ac30c4b57c80069649d9d3f83a231d1122135ddf45c710b7f4a14c0e4851596cdda38851

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1KB

MD5
a1d1ce952aa2938c636a8e6deb5552e9

SHA1
6a91f493bd748f507012b45adb588c08fb59db97

SHA256
071796097f9875483e6493288fcd6bb6b5201ccaa975335919ae735ebc864fdf

SHA512
a76004cf48d0c14bd8ed13c515c7d4a07271b315848fe2dd10d038058cc976bccfeb75e28245ef11058a3a397ea40062decfbb01c2499e59bf1d6ee68a7fbd27

Download Submit
\Users\Admin\AppData\Local\BsIIsIQG\ddodiag.exe

Filesize
42KB

MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\Yfs\javaws.exe

Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
\Users\Admin\AppData\Local\jGOO2mcx\msconfig.exe

Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
memory/1212-26-0x0000000077260000-0x0000000077262000-memory.dmp

Filesize
8KB

Download
memory/1212-45-0x0000000076EC6000-0x0000000076EC7000-memory.dmp

Filesize
4KB

Download
memory/1212-14-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-13-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-12-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-10-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-9-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-8-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-7-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-24-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-25-0x0000000077230000-0x0000000077232000-memory.dmp

Filesize
8KB

Download
memory/1212-3-0x0000000076EC6000-0x0000000076EC7000-memory.dmp

Filesize
4KB

Download
memory/1212-35-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-36-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-4-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1212-15-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-23-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

Filesize
28KB

Download
memory/1212-16-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-6-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1212-11-0x0000000140000000-0x00000001400A7000-memory.dmp

Filesize
668KB

Download
memory/1972-44-0x000007FEF67E0000-0x000007FEF6887000-memory.dmp

Filesize
668KB

Download
memory/1972-0-0x000007FEF67E0000-0x000007FEF6887000-memory.dmp

Filesize
668KB

Download
memory/1972-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2600-72-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2600-70-0x000007FEF6270000-0x000007FEF6318000-memory.dmp

Filesize
672KB

Download
memory/2600-75-0x000007FEF6270000-0x000007FEF6318000-memory.dmp

Filesize
672KB

Download
memory/2824-87-0x000007FEF6270000-0x000007FEF631E000-memory.dmp

Filesize
696KB

Download
memory/2824-91-0x000007FEF6270000-0x000007FEF631E000-memory.dmp

Filesize
696KB

Download
memory/2864-58-0x000007FEF6890000-0x000007FEF6938000-memory.dmp

Filesize
672KB

Download
memory/2864-53-0x000007FEF6890000-0x000007FEF6938000-memory.dmp

Filesize
672KB

Download
memory/2864-55-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads