dridex | 534d2ed9bae64039fe0e0f0fa0b51caf808d603f70d0e34c54dbb9a018801739

General

Target

534d2ed9bae64039fe0e0f0fa0b51caf808d603f70d0e34c54dbb9a018801739.dll
Size

676KB
MD5

fe55563a35f75a22d84ca5916747d82c
SHA1

39b3b39299ef909314d2edc5c8808b7d495c8b0e
SHA256

534d2ed9bae64039fe0e0f0fa0b51caf808d603f70d0e34c54dbb9a018801739
SHA512

5e74de0700fae017bbfa89b8636ba4c6c9b09e46660c56fc2502777aaea32ec98f405863bf5ec656b2282c14638864b8006853f5c711719f2d98dac6bb341ba1
SSDEEP

6144:I34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:IIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3444-3-0x0000000002D70000-0x0000000002D71000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1868-1-0x00007FFF57B60000-0x00007FFF57C09000-memory.dmp	dridex_payload
behavioral2/memory/3444-18-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral2/memory/3444-26-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral2/memory/3444-37-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral2/memory/1868-40-0x00007FFF57B60000-0x00007FFF57C09000-memory.dmp	dridex_payload
behavioral2/memory/2880-47-0x00007FFF48A20000-0x00007FFF48ACA000-memory.dmp	dridex_payload
behavioral2/memory/2880-52-0x00007FFF48A20000-0x00007FFF48ACA000-memory.dmp	dridex_payload
behavioral2/memory/4004-68-0x00007FFF48A20000-0x00007FFF48ACA000-memory.dmp	dridex_payload
behavioral2/memory/3652-79-0x00007FFF489F0000-0x00007FFF48A9A000-memory.dmp	dridex_payload
behavioral2/memory/3652-83-0x00007FFF489F0000-0x00007FFF48A9A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

AgentService.exeusocoreworker.exeWFS.exe

pid process

2880 AgentService.exe
4004 usocoreworker.exe
3652 WFS.exe
Loads dropped DLL 3 IoCs

Processes:

AgentService.exeusocoreworker.exeWFS.exe

pid process

2880 AgentService.exe
4004 usocoreworker.exe
3652 WFS.exe

pid	process
2880	AgentService.exe
4004	usocoreworker.exe
3652	WFS.exe

pid	process
2880	AgentService.exe
4004	usocoreworker.exe
3652	WFS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\QD5lT73TnqM\\usocoreworker.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WFS.exeAgentService.exeusocoreworker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1868	regsvr32.exe
1868	regsvr32.exe
1868	regsvr32.exe
1868	regsvr32.exe
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3444
3444
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3444

pid	process
3444
3444

pid	process
3444

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3444 wrote to memory of 316	3444	AgentService.exe
PID 3444 wrote to memory of 316	3444	AgentService.exe
PID 3444 wrote to memory of 2880	3444	AgentService.exe
PID 3444 wrote to memory of 2880	3444	AgentService.exe
PID 3444 wrote to memory of 2164	3444	usocoreworker.exe
PID 3444 wrote to memory of 2164	3444	usocoreworker.exe
PID 3444 wrote to memory of 4004	3444	usocoreworker.exe
PID 3444 wrote to memory of 4004	3444	usocoreworker.exe
PID 3444 wrote to memory of 972	3444	WFS.exe
PID 3444 wrote to memory of 972	3444	WFS.exe
PID 3444 wrote to memory of 3652	3444	WFS.exe
PID 3444 wrote to memory of 3652	3444	WFS.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\534d2ed9bae64039fe0e0f0fa0b51caf808d603f70d0e34c54dbb9a018801739.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:316

C:\Users\Admin\AppData\Local\vD83\AgentService.exe
C:\Users\Admin\AppData\Local\vD83\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2880

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:2164

C:\Users\Admin\AppData\Local\68t2dF\usocoreworker.exe
C:\Users\Admin\AppData\Local\68t2dF\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4004

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:972

C:\Users\Admin\AppData\Local\Rw4TaVB\WFS.exe
C:\Users\Admin\AppData\Local\Rw4TaVB\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\68t2dF\XmlLite.dll

Filesize
680KB

MD5
35052858279423ecf89a11e52197dfdd

SHA1
1207e5af800d5843b9c6d3388217067b3ae8e8f5

SHA256
8639e8c7ed2d8ab79a9b1afc83420cba15f9ea769baf540078b9e78047320022

SHA512
932dcd196eccbc7f6b37369640dca10a7285c0a372a6a7e217ac78affecd38d962b5ed1479ada3c4d1e88a5eccd9d9ef1a6bbdbc5bfaaf33729f43dec1d9d5d3

Download Submit
C:\Users\Admin\AppData\Local\68t2dF\usocoreworker.exe

Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\Rw4TaVB\UxTheme.dll

Filesize
680KB

MD5
aa683b92fcba485f658933d9263535ff

SHA1
bd2aaee42c9c4879cbf5a801ebc634274d4abd05

SHA256
a4c6c6092f060c77a1135980bc1b1d987d2c74e241bbae8c733f76e09796774d

SHA512
0b2b11ce355bdaec90325d7499be1b9bd090f6cf6a1c95bd9980dc20216b9ea0ac8d92c361a4c7cfcef1587946f3b23299769ac2e503c127a30ad9806f38199a

Download Submit
C:\Users\Admin\AppData\Local\Rw4TaVB\WFS.exe

Filesize
944KB

MD5
3cbc8d0f65e3db6c76c119ed7c2ffd85

SHA1
e74f794d86196e3bbb852522479946cceeed7e01

SHA256
e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

SHA512
26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

Download Submit
C:\Users\Admin\AppData\Local\vD83\ACTIVEDS.dll

Filesize
680KB

MD5
662fc90fedfe762aaea948196dd7ef97

SHA1
a6355e2093cc395ba2fbb3df16bce2db094a8227

SHA256
b9331c10f0a4128c7d5f3de217f3ba7208e2b380e0adc2169d8db2380be6af49

SHA512
6cd4e201b66316a270d8af8ace883af4269a26f8ee272735376aebe2cbc526b839f16fc4875aae5d56f75f7b4bb7a827f45d67222d6a3f68517171db2f102968

Download Submit
C:\Users\Admin\AppData\Local\vD83\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
28bb330420e1cf84bf48ce47dddeb856

SHA1
4ce5b102ec1498fb38f9e1eaf6dc72e09fbf7fdc

SHA256
91b5812664025b0ce0fd434738630d686e91e89baf4e3abb0c6ee5e566409b98

SHA512
76f9c41da4daa0c8cced123b195a650f11980a13a31149bb7293279bb3c1ac957e70b3dda9e4bc54f6bc25b53b1ebced81a43aff2275a50b4ddb14f76dc9786a

Download Submit
memory/1868-40-0x00007FFF57B60000-0x00007FFF57C09000-memory.dmp

Filesize
676KB

Download
memory/1868-2-0x0000000002630000-0x0000000002637000-memory.dmp

Filesize
28KB

Download
memory/1868-1-0x00007FFF57B60000-0x00007FFF57C09000-memory.dmp

Filesize
676KB

Download
memory/2880-52-0x00007FFF48A20000-0x00007FFF48ACA000-memory.dmp

Filesize
680KB

Download
memory/2880-49-0x000002331A560000-0x000002331A567000-memory.dmp

Filesize
28KB

Download
memory/2880-47-0x00007FFF48A20000-0x00007FFF48ACA000-memory.dmp

Filesize
680KB

Download
memory/3444-14-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-12-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-7-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-11-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-3-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3444-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-37-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-28-0x00007FFF665F0000-0x00007FFF66600000-memory.dmp

Filesize
64KB

Download
memory/3444-27-0x00007FFF66600000-0x00007FFF66610000-memory.dmp

Filesize
64KB

Download
memory/3444-9-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-10-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-8-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-13-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-25-0x0000000002B90000-0x0000000002B97000-memory.dmp

Filesize
28KB

Download
memory/3444-5-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3444-6-0x00007FFF65BAA000-0x00007FFF65BAB000-memory.dmp

Filesize
4KB

Download
memory/3444-18-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3652-79-0x00007FFF489F0000-0x00007FFF48A9A000-memory.dmp

Filesize
680KB

Download
memory/3652-83-0x00007FFF489F0000-0x00007FFF48A9A000-memory.dmp

Filesize
680KB

Download
memory/4004-68-0x00007FFF48A20000-0x00007FFF48ACA000-memory.dmp

Filesize
680KB

Download
memory/4004-65-0x000001749BE00000-0x000001749BE07000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads