dridex | d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26

General

Target

d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26.dll
Size

1.4MB
MD5

460853dc2d4eb8c6ef969468e96d4848
SHA1

1cf879eaffda5e86c10851318b6aced388609191
SHA256

d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26
SHA512

481935aaf938dca27ff8fc91ea0d905db8c7d9036be72e2ac5eaa449ddfde7a8d074f9d20d51a11a1f850d11730c9f2a0e18ca3bfa99ea2455b573a45cd2182e
SSDEEP

12288:vkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:vkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-4-0x0000000002E20000-0x0000000002E21000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1088-0-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/1208-27-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/1208-34-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/1208-35-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/1088-43-0x0000000140000000-0x0000000140167000-memory.dmp	dridex_payload
behavioral1/memory/2556-52-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral1/memory/2556-57-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral1/memory/2996-74-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral1/memory/2744-90-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

EhStorAuthn.exeperfmon.exeStikyNot.exe

pid process

2556 EhStorAuthn.exe
2996 perfmon.exe
2744 StikyNot.exe
Loads dropped DLL 7 IoCs

Processes:

EhStorAuthn.exeperfmon.exeStikyNot.exe

pid process

1208
2556 EhStorAuthn.exe
1208
2996 perfmon.exe
1208
2744 StikyNot.exe
1208

pid	process
2556	EhStorAuthn.exe
2996	perfmon.exe
2744	StikyNot.exe

pid	process
1208
2556	EhStorAuthn.exe
1208
2996	perfmon.exe
1208
2744	StikyNot.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dnfwvyvycst = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\8KUStXe\\perfmon.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEhStorAuthn.exeperfmon.exeStikyNot.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1088	rundll32.exe
1088	rundll32.exe
1088	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 2836	1208	EhStorAuthn.exe
PID 1208 wrote to memory of 2836	1208	EhStorAuthn.exe
PID 1208 wrote to memory of 2836	1208	EhStorAuthn.exe
PID 1208 wrote to memory of 2556	1208	EhStorAuthn.exe
PID 1208 wrote to memory of 2556	1208	EhStorAuthn.exe
PID 1208 wrote to memory of 2556	1208	EhStorAuthn.exe
PID 1208 wrote to memory of 2700	1208	perfmon.exe
PID 1208 wrote to memory of 2700	1208	perfmon.exe
PID 1208 wrote to memory of 2700	1208	perfmon.exe
PID 1208 wrote to memory of 2996	1208	perfmon.exe
PID 1208 wrote to memory of 2996	1208	perfmon.exe
PID 1208 wrote to memory of 2996	1208	perfmon.exe
PID 1208 wrote to memory of 2764	1208	StikyNot.exe
PID 1208 wrote to memory of 2764	1208	StikyNot.exe
PID 1208 wrote to memory of 2764	1208	StikyNot.exe
PID 1208 wrote to memory of 2744	1208	StikyNot.exe
PID 1208 wrote to memory of 2744	1208	StikyNot.exe
PID 1208 wrote to memory of 2744	1208	StikyNot.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:2836

C:\Users\Admin\AppData\Local\1GgSUlGE\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\1GgSUlGE\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2556

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2700

C:\Users\Admin\AppData\Local\mD0fQl\perfmon.exe
C:\Users\Admin\AppData\Local\mD0fQl\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2996

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\zUWAQFSf\StikyNot.exe
C:\Users\Admin\AppData\Local\zUWAQFSf\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1GgSUlGE\UxTheme.dll

Filesize
1.4MB

MD5
a355a475b8b958f54689f63d9d0988f0

SHA1
83a87aa810cb8acfe6121387cc2b44100cec662f

SHA256
05429ea2ad8cf176b890a87362f8a73b26169d7977548bee5287ec2333e38177

SHA512
33ec024c44c7a9b8269030e6776a12e7d8d2c25bdf3f4957da45883ed73c3262728f1381465690f5539f6f20595446fc1922daed8f61af00d23f7376385d1361

Download Submit
C:\Users\Admin\AppData\Local\mD0fQl\Secur32.dll

Filesize
1.4MB

MD5
23403064ddd2f46c4f7ca06299b28c50

SHA1
496f4bfa83b595cb8d7f30ffec9a7107231059ab

SHA256
8714c89899db5c2959c9416e6c9f2d7e006b5bd2768461379426622b34341ca8

SHA512
2dd6f563db9c2af9270bd9658935166d3c5b2bc4147d99e2a21167c73abaf016ccaf7c210eb81e181801c47f12483a6779b8c132da83056ce5f94421741b1199

Download Submit
C:\Users\Admin\AppData\Local\zUWAQFSf\slc.dll

Filesize
1.4MB

MD5
1b300c706db8210513452b55f896605f

SHA1
f7e1f1e0429bab8de2e29f78a5b73ae08b49d066

SHA256
cdb4f81d4a710f434406ce961a98fd5624b00b8f4eaf4efee90c0ed04b5fa0cb

SHA512
3cc26281699428a22c60314876f2a95e72df4e044f73ebe61fc77792dabdd552928a99d0ec038fcb65f1ce058bd7a7e822fbb98d05a8cb6a40f672d9e22640ca

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk

Filesize
1KB

MD5
521ddd362c97f014f5641e52a2350f88

SHA1
c4005fe4d620a95b4012f73f31e6e8cde8c980df

SHA256
915ec74a39102c129bfec96301b0108062f85a2b026510d76c21568cf3fc87fe

SHA512
753361b87f873badc950f38b148ebfe22ef1b634e42568df53f2d62697e8434e5ea5b5b5fafdcee00ef73a2f53e2ac51e2113d364ed7fd3b83efad3e02423375

Download Submit
\Users\Admin\AppData\Local\1GgSUlGE\EhStorAuthn.exe

Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
\Users\Admin\AppData\Local\mD0fQl\perfmon.exe

Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\zUWAQFSf\StikyNot.exe

Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
memory/1088-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1088-0-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1088-43-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-35-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-8-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-18-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-29-0x0000000077200000-0x0000000077202000-memory.dmp

Filesize
8KB

Download
memory/1208-28-0x00000000771D0000-0x00000000771D2000-memory.dmp

Filesize
8KB

Download
memory/1208-27-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-16-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-34-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-10-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-15-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-14-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-9-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-26-0x0000000002F50000-0x0000000002F57000-memory.dmp

Filesize
28KB

Download
memory/1208-13-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-44-0x0000000076F66000-0x0000000076F67000-memory.dmp

Filesize
4KB

Download
memory/1208-17-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-12-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-3-0x0000000076F66000-0x0000000076F67000-memory.dmp

Filesize
4KB

Download
memory/1208-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1208-7-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-11-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1208-6-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2556-57-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2556-52-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2556-54-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2744-90-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2996-69-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2996-74-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads