dridex | 3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3

General

Target

3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll
Size

672KB
MD5

3aca1383a7540c9153c2064e5d66af1c
SHA1

c2afd47eb14d504194df17e550407989e34d91aa
SHA256

3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3
SHA512

a513bc6cb4c62792ecc1a18e5927322535e9403c72b95b2181e1ef4aaaaf883e7cbcd19de0310dbc85dce93a53d2286cdf1272e2e5c9e6f3953d77542161dad7
SSDEEP

6144:934xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTh:9IKp/UWCZdCDh2IZDwAFRpR6AuXt

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-4-0x0000000002D10000-0x0000000002D11000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2604-0-0x000007FEF6DB0000-0x000007FEF6E58000-memory.dmp	dridex_payload
behavioral1/memory/1192-17-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1192-25-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1192-38-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/1192-37-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral1/memory/2604-45-0x000007FEF6DB0000-0x000007FEF6E58000-memory.dmp	dridex_payload
behavioral1/memory/2712-54-0x000007FEF6E60000-0x000007FEF6F09000-memory.dmp	dridex_payload
behavioral1/memory/2712-59-0x000007FEF6E60000-0x000007FEF6F09000-memory.dmp	dridex_payload
behavioral1/memory/2012-71-0x000007FEF62D0000-0x000007FEF637A000-memory.dmp	dridex_payload
behavioral1/memory/2012-76-0x000007FEF62D0000-0x000007FEF637A000-memory.dmp	dridex_payload
behavioral1/memory/2324-88-0x000007FEF64E0000-0x000007FEF6589000-memory.dmp	dridex_payload
behavioral1/memory/2324-91-0x000007FEF64E0000-0x000007FEF6589000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesAdvanced.exeirftp.exedwm.exe

pid process

2712 SystemPropertiesAdvanced.exe
2012 irftp.exe
2324 dwm.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesAdvanced.exeirftp.exedwm.exe

pid process

1192
2712 SystemPropertiesAdvanced.exe
1192
2012 irftp.exe
1192
2324 dwm.exe
1192

pid	process
2712	SystemPropertiesAdvanced.exe
2012	irftp.exe
2324	dwm.exe

pid	process
1192
2712	SystemPropertiesAdvanced.exe
1192
2012	irftp.exe
1192
2324	dwm.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uuyszikihxbb = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\HW5OPRtr\\irftp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesAdvanced.exeirftp.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSystemPropertiesAdvanced.exe

pid	process
2604	rundll32.exe
2604	rundll32.exe
2604	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
2712	SystemPropertiesAdvanced.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 2792	1192	SystemPropertiesAdvanced.exe
PID 1192 wrote to memory of 2792	1192	SystemPropertiesAdvanced.exe
PID 1192 wrote to memory of 2792	1192	SystemPropertiesAdvanced.exe
PID 1192 wrote to memory of 2712	1192	SystemPropertiesAdvanced.exe
PID 1192 wrote to memory of 2712	1192	SystemPropertiesAdvanced.exe
PID 1192 wrote to memory of 2712	1192	SystemPropertiesAdvanced.exe
PID 1192 wrote to memory of 2724	1192	irftp.exe
PID 1192 wrote to memory of 2724	1192	irftp.exe
PID 1192 wrote to memory of 2724	1192	irftp.exe
PID 1192 wrote to memory of 2012	1192	irftp.exe
PID 1192 wrote to memory of 2012	1192	irftp.exe
PID 1192 wrote to memory of 2012	1192	irftp.exe
PID 1192 wrote to memory of 2928	1192	dwm.exe
PID 1192 wrote to memory of 2928	1192	dwm.exe
PID 1192 wrote to memory of 2928	1192	dwm.exe
PID 1192 wrote to memory of 2324	1192	dwm.exe
PID 1192 wrote to memory of 2324	1192	dwm.exe
PID 1192 wrote to memory of 2324	1192	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:2792

C:\Users\Admin\AppData\Local\Fae\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\Fae\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\8LQ6iIQ\irftp.exe
C:\Users\Admin\AppData\Local\8LQ6iIQ\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2012

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2928

C:\Users\Admin\AppData\Local\PCh\dwm.exe
C:\Users\Admin\AppData\Local\PCh\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8LQ6iIQ\WINMM.dll

Filesize
680KB

MD5
e68451236de7915030975d43950cc6b1

SHA1
9f9e04dc1e106de303568ff44dca3e95a743265d

SHA256
ac54b89745ee799422b7557c1ef732006264143cdc86107a731a4f0fbe4e8b98

SHA512
971a29ab66cdf89389729649aa046cc25d7d030db1dc259e44ab4e903b34f43e3c11f184cb0c2ef011e7438ec39f73938cff6d77747265693377ac18ecc8cc1f

Download Submit
C:\Users\Admin\AppData\Local\Fae\SYSDM.CPL

Filesize
676KB

MD5
8d9744d157a5f7a53165d32fa31b4655

SHA1
3a83833dc78f3d6a52f0f710efe766ca374dbcfd

SHA256
6024cfb7ce0400cfda39516eea5615dad1e0b15306b0914ef2972c91662c77d6

SHA512
b4dfab2cc04fead8f959bb226c9d019093e70958b3b75c3b6f311e39379f37ea7b5a5bf5dabdd2235d70d8fa4ebdf85451e15f3ea91085347980f3401147e8bb

Download Submit
C:\Users\Admin\AppData\Local\PCh\UxTheme.dll

Filesize
676KB

MD5
023a075fd89a2d02195ea85e7fdad212

SHA1
f61725fedeaa56bce97c4f9b83cd45b6985898bf

SHA256
57325e497d92bc2cb22735732fefc7fe7dfe84eb3b98e05b54450fef6a67b41e

SHA512
e8948e0072246026327691feb1bc17cee7e8426f26d5b8b856201f88ddee0dbc3b8fb61421172b46b03bfd6d2d9a8c38cdb920a7d35057e71c3bb4a19e5ca17c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk

Filesize
1KB

MD5
51feed357bee86848741cbae1ff8d944

SHA1
59aba8289a7ab09a9189a4c13aaf52f0bdb309f3

SHA256
1ec8cbf5ccdf24c5df657c6573f95e382a8a9a841116f97000bcd26a1a623c84

SHA512
fb479ea94596fe4ca76a6b828fb769462582b62790b681919133fc91d753b9ff25b4c5859fe2743e3a7b15bf493647f54b5f658aadcea0b4fdbe736651101504

Download Submit
\Users\Admin\AppData\Local\8LQ6iIQ\irftp.exe

Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\Fae\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\PCh\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
memory/1192-26-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1192-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-7-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-25-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-3-0x0000000077626000-0x0000000077627000-memory.dmp

Filesize
4KB

Download
memory/1192-27-0x00000000778C0000-0x00000000778C2000-memory.dmp

Filesize
8KB

Download
memory/1192-38-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-37-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-4-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1192-46-0x0000000077626000-0x0000000077627000-memory.dmp

Filesize
4KB

Download
memory/1192-24-0x0000000002AB0000-0x0000000002AB7000-memory.dmp

Filesize
28KB

Download
memory/1192-17-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/1192-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/2012-73-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2012-71-0x000007FEF62D0000-0x000007FEF637A000-memory.dmp

Filesize
680KB

Download
memory/2012-76-0x000007FEF62D0000-0x000007FEF637A000-memory.dmp

Filesize
680KB

Download
memory/2324-88-0x000007FEF64E0000-0x000007FEF6589000-memory.dmp

Filesize
676KB

Download
memory/2324-91-0x000007FEF64E0000-0x000007FEF6589000-memory.dmp

Filesize
676KB

Download
memory/2604-45-0x000007FEF6DB0000-0x000007FEF6E58000-memory.dmp

Filesize
672KB

Download
memory/2604-0-0x000007FEF6DB0000-0x000007FEF6E58000-memory.dmp

Filesize
672KB

Download
memory/2604-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2712-59-0x000007FEF6E60000-0x000007FEF6F09000-memory.dmp

Filesize
676KB

Download
memory/2712-54-0x000007FEF6E60000-0x000007FEF6F09000-memory.dmp

Filesize
676KB

Download
memory/2712-56-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads