dridex | e01422a81dacdf1eabb4333ea5ccb6c6a05e0b348d1d6ec3413e913b241b0b06

General

Target

e01422a81dacdf1eabb4333ea5ccb6c6a05e0b348d1d6ec3413e913b241b0b06.dll
Size

680KB
MD5

fc8daedac7904d67fd8451f2bf2ecf56
SHA1

4488ddc2b05aa4b38a41362bacbb9b27f427ad17
SHA256

e01422a81dacdf1eabb4333ea5ccb6c6a05e0b348d1d6ec3413e913b241b0b06
SHA512

09a54f82a9ad5a98589cdddb4dc4d2ac8a24d6443e28f89ea6bc0e5fc1859c51c9b688faaaa8a17c09b837ee0fc3769344ffd6ddfcd9af6edc1c5e867179fc73
SSDEEP

6144:u34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:uIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1360-4-0x0000000001DB0000-0x0000000001DB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2660-0-0x000007FEFB230000-0x000007FEFB2DA000-memory.dmp	dridex_payload
behavioral1/memory/1360-18-0x0000000140000000-0x00000001400AA000-memory.dmp	dridex_payload
behavioral1/memory/1360-26-0x0000000140000000-0x00000001400AA000-memory.dmp	dridex_payload
behavioral1/memory/1360-37-0x0000000140000000-0x00000001400AA000-memory.dmp	dridex_payload
behavioral1/memory/1360-38-0x0000000140000000-0x00000001400AA000-memory.dmp	dridex_payload
behavioral1/memory/2660-46-0x000007FEFB230000-0x000007FEFB2DA000-memory.dmp	dridex_payload
behavioral1/memory/2728-55-0x000007FEFB2D0000-0x000007FEFB381000-memory.dmp	dridex_payload
behavioral1/memory/2728-60-0x000007FEFB2D0000-0x000007FEFB381000-memory.dmp	dridex_payload
behavioral1/memory/2252-76-0x000007FEF78F0000-0x000007FEF799B000-memory.dmp	dridex_payload
behavioral1/memory/2252-81-0x000007FEF78F0000-0x000007FEF799B000-memory.dmp	dridex_payload
behavioral1/memory/1020-93-0x000007FEFB1A0000-0x000007FEFB251000-memory.dmp	dridex_payload
behavioral1/memory/1020-97-0x000007FEFB1A0000-0x000007FEFB251000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

FXSCOVER.exemsdtc.exemsinfo32.exe

pid process

2728 FXSCOVER.exe
2252 msdtc.exe
1020 msinfo32.exe
Loads dropped DLL 7 IoCs

Processes:

FXSCOVER.exemsdtc.exemsinfo32.exe

pid process

1360
2728 FXSCOVER.exe
1360
2252 msdtc.exe
1360
1020 msinfo32.exe
1360

pid	process
2728	FXSCOVER.exe
2252	msdtc.exe
1020	msinfo32.exe

pid	process
1360
2728	FXSCOVER.exe
1360
2252	msdtc.exe
1360
1020	msinfo32.exe
1360

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\5B6Iln2p\\msdtc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

FXSCOVER.exemsdtc.exemsinfo32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2660	rundll32.exe
2660	rundll32.exe
2660	rundll32.exe
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1360 wrote to memory of 1048	1360	FXSCOVER.exe
PID 1360 wrote to memory of 1048	1360	FXSCOVER.exe
PID 1360 wrote to memory of 1048	1360	FXSCOVER.exe
PID 1360 wrote to memory of 2728	1360	FXSCOVER.exe
PID 1360 wrote to memory of 2728	1360	FXSCOVER.exe
PID 1360 wrote to memory of 2728	1360	FXSCOVER.exe
PID 1360 wrote to memory of 1676	1360	msdtc.exe
PID 1360 wrote to memory of 1676	1360	msdtc.exe
PID 1360 wrote to memory of 1676	1360	msdtc.exe
PID 1360 wrote to memory of 2252	1360	msdtc.exe
PID 1360 wrote to memory of 2252	1360	msdtc.exe
PID 1360 wrote to memory of 2252	1360	msdtc.exe
PID 1360 wrote to memory of 1100	1360	msinfo32.exe
PID 1360 wrote to memory of 1100	1360	msinfo32.exe
PID 1360 wrote to memory of 1100	1360	msinfo32.exe
PID 1360 wrote to memory of 1020	1360	msinfo32.exe
PID 1360 wrote to memory of 1020	1360	msinfo32.exe
PID 1360 wrote to memory of 1020	1360	msinfo32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e01422a81dacdf1eabb4333ea5ccb6c6a05e0b348d1d6ec3413e913b241b0b06.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1048

C:\Users\Admin\AppData\Local\Fv2BKfBp4\FXSCOVER.exe
C:\Users\Admin\AppData\Local\Fv2BKfBp4\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2728

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:1676

C:\Users\Admin\AppData\Local\OdNu\msdtc.exe
C:\Users\Admin\AppData\Local\OdNu\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2252

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:1100

C:\Users\Admin\AppData\Local\yjRju8lC\msinfo32.exe
C:\Users\Admin\AppData\Local\yjRju8lC\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Fv2BKfBp4\FXSCOVER.exe

Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
C:\Users\Admin\AppData\Local\Fv2BKfBp4\MFC42u.dll

Filesize
708KB

MD5
d4dfa3ca1a7daabd4a17efeeef0c1180

SHA1
89420ffec28dd6dfb2483dca320d753b2dc4527e

SHA256
5424580478e3036395868327765c84afe0fef2a6cccf5a5cc98e4d99bf41e602

SHA512
15976812a57ddb3bb32579952418f7745d7f93b666564b0a186c775984f9a0f6f2019e58fa4c331e7cbc52035f97eff46b2f09a8571adb31d0ce44b8708ef15e

Download Submit
C:\Users\Admin\AppData\Local\OdNu\VERSION.dll

Filesize
684KB

MD5
c2cada44a80f8c139f52b0187c0dacbb

SHA1
cbaa2f185a839fd4c1f9f766702f3a2cc6ba8327

SHA256
37597896b841deb25311ff53e5c5e01a26a3b70b2ca8f477904c55cd62d8795a

SHA512
a1422637d3cebfdb43c44bc5455ca04e7ebdf94075dc0015037b18003279df9f9ebce9e6785ce5c1232123e6b0d41787943fbd5d38b0dbc9cecd9b9f1f0589fa

Download Submit
C:\Users\Admin\AppData\Local\OdNu\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
C:\Users\Admin\AppData\Local\yjRju8lC\msinfo32.exe

Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1010B

MD5
f5c6f31484b2e6d8cee32e0e49608b96

SHA1
ff8967c4fc4f2fcb52aeac8ad36ef37fc8af024d

SHA256
2cd65999c3e49160dfe0c81a4011fa958660c3552efe0325524bbddda08ed97e

SHA512
95390c04f486840f746a69b2cf212606ea73aef1a3a5041fabbadc4d1b4bfb77b92f12221cb819752613210298aa89636b22516a00e33d5fd0fcb6990b336d44

Download Submit
\Users\Admin\AppData\Local\yjRju8lC\MFC42u.dll

Filesize
708KB

MD5
83730fac5585173494d48e4f049573a0

SHA1
8fc1b9881214b1e9453d1b9687ab492edc65d9c9

SHA256
990caee1d471695eb8d7b75a61947aa1d0a128a2bfaed20e6f2070ae57322d74

SHA512
3765d209daa7f6c0cd2785a9311f22d33c0473ef345a5d28a0748023fe73dfe0d1490080214076066c0efecae0c0af9384c1e894d1193d3b80499b14a3f8404e

Download Submit
memory/1020-97-0x000007FEFB1A0000-0x000007FEFB251000-memory.dmp

Filesize
708KB

Download
memory/1020-93-0x000007FEFB1A0000-0x000007FEFB251000-memory.dmp

Filesize
708KB

Download
memory/1360-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-47-0x0000000077406000-0x0000000077407000-memory.dmp

Filesize
4KB

Download
memory/1360-10-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-9-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-8-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-7-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-6-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-27-0x0000000077770000-0x0000000077772000-memory.dmp

Filesize
8KB

Download
memory/1360-28-0x00000000777A0000-0x00000000777A2000-memory.dmp

Filesize
8KB

Download
memory/1360-37-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-3-0x0000000077406000-0x0000000077407000-memory.dmp

Filesize
4KB

Download
memory/1360-4-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/1360-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-25-0x0000000001D90000-0x0000000001D97000-memory.dmp

Filesize
28KB

Download
memory/1360-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1360-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2252-76-0x000007FEF78F0000-0x000007FEF799B000-memory.dmp

Filesize
684KB

Download
memory/2252-78-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2252-81-0x000007FEF78F0000-0x000007FEF799B000-memory.dmp

Filesize
684KB

Download
memory/2660-2-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2660-46-0x000007FEFB230000-0x000007FEFB2DA000-memory.dmp

Filesize
680KB

Download
memory/2660-0-0x000007FEFB230000-0x000007FEFB2DA000-memory.dmp

Filesize
680KB

Download
memory/2728-60-0x000007FEFB2D0000-0x000007FEFB381000-memory.dmp

Filesize
708KB

Download
memory/2728-55-0x000007FEFB2D0000-0x000007FEFB381000-memory.dmp

Filesize
708KB

Download
memory/2728-57-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads