dridex | e01422a81dacdf1eabb4333ea5ccb6c6a05e0b348d1d6ec3413e913b241b0b06

General

Target

e01422a81dacdf1eabb4333ea5ccb6c6a05e0b348d1d6ec3413e913b241b0b06.dll
Size

680KB
MD5

fc8daedac7904d67fd8451f2bf2ecf56
SHA1

4488ddc2b05aa4b38a41362bacbb9b27f427ad17
SHA256

e01422a81dacdf1eabb4333ea5ccb6c6a05e0b348d1d6ec3413e913b241b0b06
SHA512

09a54f82a9ad5a98589cdddb4dc4d2ac8a24d6443e28f89ea6bc0e5fc1859c51c9b688faaaa8a17c09b837ee0fc3769344ffd6ddfcd9af6edc1c5e867179fc73
SSDEEP

6144:u34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:uIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3348-3-0x0000000008240000-0x0000000008241000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1244-0-0x00007FF92E760000-0x00007FF92E80A000-memory.dmp	dridex_payload
behavioral2/memory/3348-26-0x0000000140000000-0x00000001400AA000-memory.dmp	dridex_payload
behavioral2/memory/3348-37-0x0000000140000000-0x00000001400AA000-memory.dmp	dridex_payload
behavioral2/memory/3348-18-0x0000000140000000-0x00000001400AA000-memory.dmp	dridex_payload
behavioral2/memory/1244-40-0x00007FF92E760000-0x00007FF92E80A000-memory.dmp	dridex_payload
behavioral2/memory/2216-48-0x00007FF91F580000-0x00007FF91F62B000-memory.dmp	dridex_payload
behavioral2/memory/2216-52-0x00007FF91F580000-0x00007FF91F62B000-memory.dmp	dridex_payload
behavioral2/memory/2904-68-0x00007FF91F580000-0x00007FF91F62B000-memory.dmp	dridex_payload
behavioral2/memory/1528-79-0x00007FF91E860000-0x00007FF91E90B000-memory.dmp	dridex_payload
behavioral2/memory/1528-83-0x00007FF91E860000-0x00007FF91E90B000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

wscript.exewscript.exeunregmp2.exe

pid process

2216 wscript.exe
2904 wscript.exe
1528 unregmp2.exe
Loads dropped DLL 3 IoCs

Processes:

wscript.exewscript.exeunregmp2.exe

pid process

2216 wscript.exe
2904 wscript.exe
1528 unregmp2.exe

pid	process
2216	wscript.exe
2904	wscript.exe
1528	unregmp2.exe

pid	process
2216	wscript.exe
2904	wscript.exe
1528	unregmp2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\PnkhJIfyK\\wscript.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wscript.exewscript.exeunregmp2.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1244	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3348
3348
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3348

pid	process
3348
3348

pid	process
3348

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3348 wrote to memory of 1596	3348	wscript.exe
PID 3348 wrote to memory of 1596	3348	wscript.exe
PID 3348 wrote to memory of 2216	3348	wscript.exe
PID 3348 wrote to memory of 2216	3348	wscript.exe
PID 3348 wrote to memory of 4964	3348	wscript.exe
PID 3348 wrote to memory of 4964	3348	wscript.exe
PID 3348 wrote to memory of 2904	3348	wscript.exe
PID 3348 wrote to memory of 2904	3348	wscript.exe
PID 3348 wrote to memory of 3760	3348	unregmp2.exe
PID 3348 wrote to memory of 3760	3348	unregmp2.exe
PID 3348 wrote to memory of 1528	3348	unregmp2.exe
PID 3348 wrote to memory of 1528	3348	unregmp2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e01422a81dacdf1eabb4333ea5ccb6c6a05e0b348d1d6ec3413e913b241b0b06.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1596

C:\Users\Admin\AppData\Local\D9D\wscript.exe
C:\Users\Admin\AppData\Local\D9D\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2216

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:4964

C:\Users\Admin\AppData\Local\PR16\wscript.exe
C:\Users\Admin\AppData\Local\PR16\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2904

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:3760

C:\Users\Admin\AppData\Local\n62SOMLR\unregmp2.exe
C:\Users\Admin\AppData\Local\n62SOMLR\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D9D\VERSION.dll

Filesize
684KB

MD5
89b3eff878d5f3f1dfed1cbbdce573cc

SHA1
a2aab2635b32ff7f616713634b62c0ba1dbc842f

SHA256
9603d9e2aeae73282d0da0ef491daeb52506464e540f09faab97a491fa6ec8c2

SHA512
37fafb0302cf264d56c7af007bac69a85aaf2c628f8f705394d9ff0890720f0964f19b605cd8ac17e099a7ef40a1091b2d4ea17dd8267cf00fd977b4e826efbf

Download Submit
C:\Users\Admin\AppData\Local\D9D\wscript.exe

Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
C:\Users\Admin\AppData\Local\PR16\VERSION.dll

Filesize
684KB

MD5
2b833c7a354e544b471119b0e7b1c813

SHA1
f0698dac21d657c16cda5d994b0c49204efbb98d

SHA256
2b3143db79bfe11842f318ee187532a58957861ded06469099f16938637d2a6f

SHA512
5b3fb2fb9dc23ba0ab449a91e6f1b9bd7af115d7b9bb029f1f97c2a8e3b29ed2575a8fd18f61ca189e3af6b3c3fae9b10f470624e7228e3161f650d95f68ee93

Download Submit
C:\Users\Admin\AppData\Local\n62SOMLR\VERSION.dll

Filesize
684KB

MD5
78d9e894af10dbf77ee73a237615bbdc

SHA1
33a01e73f04baffa9537b3ded312793c1a99aa2f

SHA256
c280eef828379b2128e4efd4b5078931fdb19727b03a6b96f9d18d6a59614e0c

SHA512
17ad921faa85bb08959176b129a440233b18ad2cc7427efb9bf998845cccf9bdfee664970f3dc185a5a80b038e4cd53296c0b825a7d93714304cb3ba355dc63f

Download Submit
C:\Users\Admin\AppData\Local\n62SOMLR\unregmp2.exe

Filesize
259KB

MD5
a6fc8ce566dec7c5873cb9d02d7b874e

SHA1
a30040967f75df85a1e3927bdce159b102011a61

SHA256
21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

SHA512
f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
750d15066ca9c203bbc4f2ebb2b7a977

SHA1
f3ad9bf343391095884a9bea10f134f2d882e76b

SHA256
14de7a0aa054bdaf9729cb9ef6dae354cd2b83d793f546fbc66c93f6b9326807

SHA512
43776e31706eaf2df83e8bc91d3dd70395a43f680473714d2164f4417d25dfbe02b1b53cdc049e488a98d9d82e545479a7cbb9850d19c07a0c99e619945335ab

Download Submit
memory/1244-40-0x00007FF92E760000-0x00007FF92E80A000-memory.dmp

Filesize
680KB

Download
memory/1244-2-0x0000021F182F0000-0x0000021F182F7000-memory.dmp

Filesize
28KB

Download
memory/1244-0-0x00007FF92E760000-0x00007FF92E80A000-memory.dmp

Filesize
680KB

Download
memory/1528-83-0x00007FF91E860000-0x00007FF91E90B000-memory.dmp

Filesize
684KB

Download
memory/1528-79-0x00007FF91E860000-0x00007FF91E90B000-memory.dmp

Filesize
684KB

Download
memory/2216-48-0x00007FF91F580000-0x00007FF91F62B000-memory.dmp

Filesize
684KB

Download
memory/2216-52-0x00007FF91F580000-0x00007FF91F62B000-memory.dmp

Filesize
684KB

Download
memory/2216-47-0x00000216E0FC0000-0x00000216E0FC7000-memory.dmp

Filesize
28KB

Download
memory/2904-65-0x0000028E43AA0000-0x0000028E43AA7000-memory.dmp

Filesize
28KB

Download
memory/2904-68-0x00007FF91F580000-0x00007FF91F62B000-memory.dmp

Filesize
684KB

Download
memory/3348-28-0x00007FF93D290000-0x00007FF93D2A0000-memory.dmp

Filesize
64KB

Download
memory/3348-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-9-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-8-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-7-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-6-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-37-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-27-0x00007FF93D2A0000-0x00007FF93D2B0000-memory.dmp

Filesize
64KB

Download
memory/3348-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-25-0x0000000008220000-0x0000000008227000-memory.dmp

Filesize
28KB

Download
memory/3348-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-10-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-3-0x0000000008240000-0x0000000008241000-memory.dmp

Filesize
4KB

Download
memory/3348-5-0x00007FF93C48A000-0x00007FF93C48B000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads