dridex | 60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b

General

Target

60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b.dll
Size

676KB
MD5

4d50c132ca23b8e8fa6f50c8e7db7e3b
SHA1

fc0fe7b8a046e550ed228581c381d5244a62c74c
SHA256

60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b
SHA512

317ca386657544fb79e3a0529278ea096abcb30ad0aef492a4e9a97b87502154095fccde07882c0a98ea2a278860c765a3ea6283cf195085405e1d8048101614
SSDEEP

6144:C34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:CIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-4-0x00000000029C0000-0x00000000029C1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1064-1-0x000007FEF7270000-0x000007FEF7319000-memory.dmp	dridex_payload
behavioral1/memory/1256-19-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1256-26-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1256-38-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1256-37-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1064-46-0x000007FEF7270000-0x000007FEF7319000-memory.dmp	dridex_payload
behavioral1/memory/2560-56-0x000007FEF7320000-0x000007FEF73D0000-memory.dmp	dridex_payload
behavioral1/memory/2560-60-0x000007FEF7320000-0x000007FEF73D0000-memory.dmp	dridex_payload
behavioral1/memory/2932-73-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp	dridex_payload
behavioral1/memory/2932-77-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp	dridex_payload
behavioral1/memory/1956-98-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

irftp.exeSystemPropertiesPerformance.exeVaultSysUi.exe

pid process

2560 irftp.exe
2932 SystemPropertiesPerformance.exe
1956 VaultSysUi.exe
Loads dropped DLL 8 IoCs

Processes:

irftp.exeSystemPropertiesPerformance.exeVaultSysUi.exe

pid process

1256
2560 irftp.exe
1256
2932 SystemPropertiesPerformance.exe
1256
1256
1956 VaultSysUi.exe
1256

pid	process
2560	irftp.exe
2932	SystemPropertiesPerformance.exe
1956	VaultSysUi.exe

pid	process
1256
2560	irftp.exe
1256
2932	SystemPropertiesPerformance.exe
1256
1256
1956	VaultSysUi.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\RXR0ZE~1\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

irftp.exeSystemPropertiesPerformance.exeVaultSysUi.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 2656	1256	irftp.exe
PID 1256 wrote to memory of 2656	1256	irftp.exe
PID 1256 wrote to memory of 2656	1256	irftp.exe
PID 1256 wrote to memory of 2560	1256	irftp.exe
PID 1256 wrote to memory of 2560	1256	irftp.exe
PID 1256 wrote to memory of 2560	1256	irftp.exe
PID 1256 wrote to memory of 396	1256	SystemPropertiesPerformance.exe
PID 1256 wrote to memory of 396	1256	SystemPropertiesPerformance.exe
PID 1256 wrote to memory of 396	1256	SystemPropertiesPerformance.exe
PID 1256 wrote to memory of 2932	1256	SystemPropertiesPerformance.exe
PID 1256 wrote to memory of 2932	1256	SystemPropertiesPerformance.exe
PID 1256 wrote to memory of 2932	1256	SystemPropertiesPerformance.exe
PID 1256 wrote to memory of 2912	1256	VaultSysUi.exe
PID 1256 wrote to memory of 2912	1256	VaultSysUi.exe
PID 1256 wrote to memory of 2912	1256	VaultSysUi.exe
PID 1256 wrote to memory of 1956	1256	VaultSysUi.exe
PID 1256 wrote to memory of 1956	1256	VaultSysUi.exe
PID 1256 wrote to memory of 1956	1256	VaultSysUi.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:2656

C:\Users\Admin\AppData\Local\JV8CNouK7\irftp.exe
C:\Users\Admin\AppData\Local\JV8CNouK7\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2560

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:396

C:\Users\Admin\AppData\Local\OTHTF\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\OTHTF\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:2912

C:\Users\Admin\AppData\Local\9GN5MnG4v\VaultSysUi.exe
C:\Users\Admin\AppData\Local\9GN5MnG4v\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9GN5MnG4v\credui.dll

Filesize
680KB

MD5
420d84ccd302ed510de1515a8abef45d

SHA1
ae55ece95ee8c64ceebe945e88b70f7ca65274a2

SHA256
c8d5bf653efb6368d14935959b2bcaafc3ddaa485ba54ffce2fd42971c7b36e2

SHA512
85393dfa2951d525401b53498394f7ef22b908c10434fc0600c59c0a450931ea4e9101a2c5af515a82e8cae36e046ba1aeff8cc39e657dd3ebe91de7f87b1f9f

Download Submit
C:\Users\Admin\AppData\Local\JV8CNouK7\MFC42u.dll

Filesize
704KB

MD5
ed48dfeec071c97e397b7cd23c235716

SHA1
e952f3866bdcc1a21060f3db16739738e9ef3185

SHA256
e3bdacffe90236a84bab7cf197a0344b8b9065d1310d0756ad6cdc41da33b52e

SHA512
81df672436680aa6c3b66fe05869eff61dc2a02a734356028fea52410813e363fd1576cfd1d309455ce13a19755817da5361cddd8beedd775e61114bbd5451cb

Download Submit
C:\Users\Admin\AppData\Local\OTHTF\SYSDM.CPL

Filesize
680KB

MD5
1cb10d3dfdeae1e1ef9d64df3e4918c8

SHA1
a01ebb7f3f4c6dc8255b1375cafa2f7bca5b207d

SHA256
1a81a204d3c174acdc41c02d752b610be320e0a208d45d9841a906e8f121d697

SHA512
b56bfc169276fbd2afbb4355c4de73eca4cdb26cb68913bf304d6c8536d1fdf26971534384796f91b47d97398c4094669d4b1d2c2a72a453becb83fc1754d501

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
136bacebc6dd6e893184974d886290b4

SHA1
9826ced37402593e73b644c5e79c7c16bd2436ad

SHA256
6994d8d1f63328c53513622b51e829e054bb47100ba1ecc27f82097209a4ae28

SHA512
17f430885161397a81f0c22c25193bc9a931f78b8c4160125741b9153649856e807a90ca68b4841845d952cbf2240708c7695c9f064cd53b3d1e6fe4d0da4e07

Download Submit
\Users\Admin\AppData\Local\9GN5MnG4v\VaultSysUi.exe

Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\JV8CNouK7\irftp.exe

Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\OTHTF\SystemPropertiesPerformance.exe

Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
memory/1064-1-0x000007FEF7270000-0x000007FEF7319000-memory.dmp

Filesize
676KB

Download
memory/1064-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1064-46-0x000007FEF7270000-0x000007FEF7319000-memory.dmp

Filesize
676KB

Download
memory/1256-28-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/1256-19-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-13-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-12-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-11-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-10-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-9-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-7-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-27-0x0000000077010000-0x0000000077012000-memory.dmp

Filesize
8KB

Download
memory/1256-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-38-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-37-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-47-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

Filesize
4KB

Download
memory/1256-14-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-25-0x00000000029A0000-0x00000000029A7000-memory.dmp

Filesize
28KB

Download
memory/1256-3-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

Filesize
4KB

Download
memory/1256-4-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1256-6-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1256-8-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1956-98-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp

Filesize
680KB

Download
memory/2560-60-0x000007FEF7320000-0x000007FEF73D0000-memory.dmp

Filesize
704KB

Download
memory/2560-56-0x000007FEF7320000-0x000007FEF73D0000-memory.dmp

Filesize
704KB

Download
memory/2560-55-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2932-72-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2932-73-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp

Filesize
680KB

Download
memory/2932-77-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads