dridex | 3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3

General

Target

3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll
Size

672KB
MD5

3aca1383a7540c9153c2064e5d66af1c
SHA1

c2afd47eb14d504194df17e550407989e34d91aa
SHA256

3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3
SHA512

a513bc6cb4c62792ecc1a18e5927322535e9403c72b95b2181e1ef4aaaaf883e7cbcd19de0310dbc85dce93a53d2286cdf1272e2e5c9e6f3953d77542161dad7
SSDEEP

6144:934xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTh:9IKp/UWCZdCDh2IZDwAFRpR6AuXt

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3436-3-0x0000000008290000-0x0000000008291000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4040-0-0x00007FFC8F7E0000-0x00007FFC8F888000-memory.dmp	dridex_payload
behavioral2/memory/3436-17-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3436-36-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/3436-25-0x0000000140000000-0x00000001400A8000-memory.dmp	dridex_payload
behavioral2/memory/4040-39-0x00007FFC8F7E0000-0x00007FFC8F888000-memory.dmp	dridex_payload
behavioral2/memory/2816-47-0x00007FFC7FC10000-0x00007FFC7FCB9000-memory.dmp	dridex_payload
behavioral2/memory/2816-51-0x00007FFC7FC10000-0x00007FFC7FCB9000-memory.dmp	dridex_payload
behavioral2/memory/1784-63-0x00007FFC7FBB0000-0x00007FFC7FC59000-memory.dmp	dridex_payload
behavioral2/memory/1784-67-0x00007FFC7FBB0000-0x00007FFC7FC59000-memory.dmp	dridex_payload
behavioral2/memory/2324-78-0x00007FFC7FBB0000-0x00007FFC7FC5A000-memory.dmp	dridex_payload
behavioral2/memory/2324-82-0x00007FFC7FBB0000-0x00007FFC7FC5A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

tabcal.exeDxpserver.exeWFS.exe

pid process

2816 tabcal.exe
1784 Dxpserver.exe
2324 WFS.exe
Loads dropped DLL 3 IoCs

Processes:

tabcal.exeDxpserver.exeWFS.exe

pid process

2816 tabcal.exe
1784 Dxpserver.exe
2324 WFS.exe

pid	process
2816	tabcal.exe
1784	Dxpserver.exe
2324	WFS.exe

pid	process
2816	tabcal.exe
1784	Dxpserver.exe
2324	WFS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\KTbigSEwN\\Dxpserver.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exetabcal.exeDxpserver.exeWFS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3436
3436
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3436

pid	process
3436
3436

pid	process
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3436 wrote to memory of 3328	3436	tabcal.exe
PID 3436 wrote to memory of 3328	3436	tabcal.exe
PID 3436 wrote to memory of 2816	3436	tabcal.exe
PID 3436 wrote to memory of 2816	3436	tabcal.exe
PID 3436 wrote to memory of 1720	3436	Dxpserver.exe
PID 3436 wrote to memory of 1720	3436	Dxpserver.exe
PID 3436 wrote to memory of 1784	3436	Dxpserver.exe
PID 3436 wrote to memory of 1784	3436	Dxpserver.exe
PID 3436 wrote to memory of 3604	3436	WFS.exe
PID 3436 wrote to memory of 3604	3436	WFS.exe
PID 3436 wrote to memory of 2324	3436	WFS.exe
PID 3436 wrote to memory of 2324	3436	WFS.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:3328

C:\Users\Admin\AppData\Local\YFJhhg\tabcal.exe
C:\Users\Admin\AppData\Local\YFJhhg\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2816

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1720

C:\Users\Admin\AppData\Local\vrjtL\Dxpserver.exe
C:\Users\Admin\AppData\Local\vrjtL\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1784

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:3604

C:\Users\Admin\AppData\Local\uCOKlmH\WFS.exe
C:\Users\Admin\AppData\Local\uCOKlmH\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\YFJhhg\HID.DLL

Filesize
676KB

MD5
0aafcf92085bb493cc3387e219cb0549

SHA1
7b1269ef50cdef19652ef94540fe1b840e3606d4

SHA256
134d9cfbf16f0267cda766543ac6efd6ee2a4185892e23237a37767c28de815a

SHA512
443345c4de32e625f198fba5470509b0f7f03d8dcc1264474690bc2c83ce9d550622590adb7280ba01c00d9104576fc13614f52e033a9cb418ece81985a46f2d

Download Submit
C:\Users\Admin\AppData\Local\YFJhhg\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Local\uCOKlmH\WFS.exe

Filesize
944KB

MD5
3cbc8d0f65e3db6c76c119ed7c2ffd85

SHA1
e74f794d86196e3bbb852522479946cceeed7e01

SHA256
e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

SHA512
26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

Download Submit
C:\Users\Admin\AppData\Local\uCOKlmH\WINMM.dll

Filesize
680KB

MD5
d8219ca5c7fcfc063ca24d99ba182c7d

SHA1
ba0ee9c2821a1cbfa0bab473d26e398e4ef786ea

SHA256
c7ae1d15f2b366a9144cd8a09c035646b2d9bdc50980a5ba5fbee440ac542b89

SHA512
4769082b4867d69b162996c2fc9a30e7e027c04ba9a223c12fd6932b77da868dd9e334ccaeb37bbb96dcc2a67d7e262f1d1f3a1293bc8606709b8dad3b011a90

Download Submit
C:\Users\Admin\AppData\Local\vrjtL\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\vrjtL\XmlLite.dll

Filesize
676KB

MD5
8894be2ad43c5cbe83bc62618877dc2c

SHA1
f01d4dbc59d3b488cebd52318f788af96302e668

SHA256
4f88b20e178ec7b90b79ab8f297588b4ea22df1f844df260dde9cb9c5b9c5304

SHA512
4a561809229b3603e191075df95dc06339262b6443ab12c761d463b20142bd6378ee5a8abe91375f2155b7bd96548c07434cc43808008c8bd97ea8ac6e57719e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk

Filesize
1KB

MD5
384fe135d725bddf1814ce591f16ba85

SHA1
1990f11e2ddf6dda4fcfcd63e471114dad56c961

SHA256
4dcbc39e3f6cec7126f4b1c71ca1fdb2a4824c5ff14019444dfc32c3c807e758

SHA512
da41def5d0e8dde83a75a06f5aef9c137c0a929a732aa4cc7f12aff59493ed5e9db7e671cbe3174e369b8ee3765079d3d293356377a937751143e8af640f32e2

Download Submit
memory/1784-67-0x00007FFC7FBB0000-0x00007FFC7FC59000-memory.dmp

Filesize
676KB

Download
memory/1784-62-0x00000238AB750000-0x00000238AB757000-memory.dmp

Filesize
28KB

Download
memory/1784-63-0x00007FFC7FBB0000-0x00007FFC7FC59000-memory.dmp

Filesize
676KB

Download
memory/2324-78-0x00007FFC7FBB0000-0x00007FFC7FC5A000-memory.dmp

Filesize
680KB

Download
memory/2324-82-0x00007FFC7FBB0000-0x00007FFC7FC5A000-memory.dmp

Filesize
680KB

Download
memory/2816-51-0x00007FFC7FC10000-0x00007FFC7FCB9000-memory.dmp

Filesize
676KB

Download
memory/2816-47-0x00007FFC7FC10000-0x00007FFC7FCB9000-memory.dmp

Filesize
676KB

Download
memory/2816-46-0x000001E3287A0000-0x000001E3287A7000-memory.dmp

Filesize
28KB

Download
memory/3436-36-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-16-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-9-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-6-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-8-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-3-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/3436-5-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-11-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-12-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-13-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-14-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-15-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-25-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-7-0x00007FFC9D4DA000-0x00007FFC9D4DB000-memory.dmp

Filesize
4KB

Download
memory/3436-26-0x00007FFC9E1E0000-0x00007FFC9E1F0000-memory.dmp

Filesize
64KB

Download
memory/3436-27-0x00007FFC9E1D0000-0x00007FFC9E1E0000-memory.dmp

Filesize
64KB

Download
memory/3436-10-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3436-24-0x0000000007F60000-0x0000000007F67000-memory.dmp

Filesize
28KB

Download
memory/3436-17-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/4040-0-0x00007FFC8F7E0000-0x00007FFC8F888000-memory.dmp

Filesize
672KB

Download
memory/4040-39-0x00007FFC8F7E0000-0x00007FFC8F888000-memory.dmp

Filesize
672KB

Download
memory/4040-2-0x000001D6AECA0000-0x000001D6AECA7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads