dridex | 69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a

General

Target

69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a.dll
Size

672KB
MD5

9b616d2c751b6b29a1c2a529a49daba4
SHA1

46341d4ab5707193e9e53ffc140a42a61b6629a4
SHA256

69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a
SHA512

ac1e27da3fc0d5541382425232677e832896c6d3b8fa089db4799bad3a0383a1eb1e737f9b1f34213d30bdd842e1ef335599d4ff07c2b40f8f490e035c858f05
SSDEEP

6144:I34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:IIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1272-4-0x00000000029F0000-0x00000000029F1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2200-0-0x000007FEF7B90000-0x000007FEF7C38000-memory.dmp	dridex_payload
behavioral1/memory/1272-17-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1272-25-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1272-37-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1272-36-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/2200-45-0x000007FEF7B90000-0x000007FEF7C38000-memory.dmp	dridex_payload
behavioral1/memory/2936-59-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp	dridex_payload
behavioral1/memory/2936-54-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp	dridex_payload
behavioral1/memory/1532-80-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp	dridex_payload
behavioral1/memory/3024-92-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp	dridex_payload
behavioral1/memory/3024-98-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

winlogon.exedialer.execmstp.exe

pid process

2936 winlogon.exe
1532 dialer.exe
3024 cmstp.exe
Loads dropped DLL 7 IoCs

Processes:

winlogon.exedialer.execmstp.exe

pid process

1272
2936 winlogon.exe
1272
1532 dialer.exe
1272
3024 cmstp.exe
1272

pid	process
2936	winlogon.exe
1532	dialer.exe
3024	cmstp.exe

pid	process
1272
2936	winlogon.exe
1272
1532	dialer.exe
1272
3024	cmstp.exe
1272

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\DQKQ7M~1\\dialer.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dialer.execmstp.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2200	regsvr32.exe
2200	regsvr32.exe
2200	regsvr32.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1272 wrote to memory of 2796	1272	winlogon.exe
PID 1272 wrote to memory of 2796	1272	winlogon.exe
PID 1272 wrote to memory of 2796	1272	winlogon.exe
PID 1272 wrote to memory of 2936	1272	winlogon.exe
PID 1272 wrote to memory of 2936	1272	winlogon.exe
PID 1272 wrote to memory of 2936	1272	winlogon.exe
PID 1272 wrote to memory of 2724	1272	dialer.exe
PID 1272 wrote to memory of 2724	1272	dialer.exe
PID 1272 wrote to memory of 2724	1272	dialer.exe
PID 1272 wrote to memory of 1532	1272	dialer.exe
PID 1272 wrote to memory of 1532	1272	dialer.exe
PID 1272 wrote to memory of 1532	1272	dialer.exe
PID 1272 wrote to memory of 2664	1272	cmstp.exe
PID 1272 wrote to memory of 2664	1272	cmstp.exe
PID 1272 wrote to memory of 2664	1272	cmstp.exe
PID 1272 wrote to memory of 3024	1272	cmstp.exe
PID 1272 wrote to memory of 3024	1272	cmstp.exe
PID 1272 wrote to memory of 3024	1272	cmstp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\j39ep\winlogon.exe
C:\Users\Admin\AppData\Local\j39ep\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2936

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\q0dr1Dk\dialer.exe
C:\Users\Admin\AppData\Local\q0dr1Dk\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1532

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:2664

C:\Users\Admin\AppData\Local\y0VaNi6\cmstp.exe
C:\Users\Admin\AppData\Local\y0VaNi6\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\j39ep\WINSTA.dll

Filesize
680KB

MD5
fd6f0b531fd86aca37f3a90fb301d5d0

SHA1
66d10d8bc7c1224f766ca4ee9d670faabe46374d

SHA256
1bf9217a192da76fb3ebaeaaf79dfda200b673ca62f0e1e36b0f3506272a4bcd

SHA512
5a0fc6780aa4162a6e86aba77c3af837a354f51dcd5867078f2cb9fa8db7cb490f37abd47453efbc2e09a9fc191c91bf2f943b78e6eb01f1f9436dd9d40e35fa

Download Submit
C:\Users\Admin\AppData\Local\q0dr1Dk\TAPI32.dll

Filesize
680KB

MD5
326bd6fb1a56342438844d12f7b4bec1

SHA1
ab969b63572e3f246a5a6bc413e3a3e4f028e2ef

SHA256
29459677ac88875ad33c58eeaf32d8d1b0834c0620f34511bb7659fe59f614ba

SHA512
7a34b0e21e4f26e1314c6ef518feb40e88ff93355a001146e3899f8aca5e05321e70003498bdbd188dc4e4bf6919aaa0740e7958507ed1f9289f941b8e4d2b56

Download Submit
C:\Users\Admin\AppData\Local\y0VaNi6\VERSION.dll

Filesize
676KB

MD5
aa88738148750c549c09ccc881cdeb9c

SHA1
5ec83a1a5da9eacb78465e0f937b70618c85e1af

SHA256
19bbd2494d63765bec7372aed564613ae89d100ce3950d18f095642c56c52377

SHA512
472512097d4286b3b39562644af44f9e1c9f07609baae5a18281a8b45c4cdac649a2248133a4472354e88a7c08e9541b081a26069a72c0705706cd591531c3a2

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
892B

MD5
2c8746a7dfa5a8402606afa8d2be0c69

SHA1
72cf695973c611694daecd4a952b24fe53c5fa0f

SHA256
a330e34cf69151724eadf27a1a91fa5bcb0f4153d5dcd473b14da1cd983b5261

SHA512
20a954588e0e68c6b886ebcd8da1d07f6865e82a1cfb8d1cd805ca32687a3badf854e4e3bf99b9fdf3d2fee123e076ae0b319ff6a8cee05185d268e937dd5147

Download Submit
\Users\Admin\AppData\Local\j39ep\winlogon.exe

Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\q0dr1Dk\dialer.exe

Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
\Users\Admin\AppData\Local\y0VaNi6\cmstp.exe

Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
memory/1272-27-0x0000000077980000-0x0000000077982000-memory.dmp

Filesize
8KB

Download
memory/1272-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-25-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-3-0x00000000775E6000-0x00000000775E7000-memory.dmp

Filesize
4KB

Download
memory/1272-26-0x0000000077950000-0x0000000077952000-memory.dmp

Filesize
8KB

Download
memory/1272-37-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-36-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-4-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1272-46-0x00000000775E6000-0x00000000775E7000-memory.dmp

Filesize
4KB

Download
memory/1272-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-24-0x00000000029D0000-0x00000000029D7000-memory.dmp

Filesize
28KB

Download
memory/1272-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1272-17-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1532-77-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1532-80-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp

Filesize
680KB

Download
memory/2200-45-0x000007FEF7B90000-0x000007FEF7C38000-memory.dmp

Filesize
672KB

Download
memory/2200-0-0x000007FEF7B90000-0x000007FEF7C38000-memory.dmp

Filesize
672KB

Download
memory/2200-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2936-54-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp

Filesize
680KB

Download
memory/2936-59-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp

Filesize
680KB

Download
memory/2936-56-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/3024-92-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp

Filesize
676KB

Download
memory/3024-98-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp

Filesize
676KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads