Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    20-11-2020 05:28

General

  • Target

    Fhdtme10.bin.dll

  • Size

    590KB

  • MD5

    429d63af6c900c0c2f7c2b82dec86a7e

  • SHA1

    6f3c788b9223c6d99d34235c86bcc00056a2c73f

  • SHA256

    b6c782d71a48aaf6b23d0c9f2f6490c008d8f3f87d43b3c1a6f18343ddc63874

  • SHA512

    0f1cc54093f788e6549cc0149f2d0d3c52e82b76222a4563c995c3bc8c207f4a2583f585b4f0ae522c85a5994a9953238c094e589cfcab3f4688ac9dd244ff4c

Malware Config

Extracted

Family

dridex

Botnet

10555

C2

162.241.44.26:9443

192.232.229.53:4443

77.220.64.34:443

193.90.12.121:3098

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Blocklisted process makes network request 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Fhdtme10.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Fhdtme10.bin.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Checks whether UAC is enabled
      PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/544-2-0x000007FEF6E90000-0x000007FEF710A000-memory.dmp
    Filesize

    2.5MB

  • memory/1144-0-0x0000000000000000-mapping.dmp
  • memory/1144-1-0x0000000000410000-0x000000000044D000-memory.dmp
    Filesize

    244KB