dridex | 2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b

Analysis

max time kernel
123s
max time network
125s
platform
windows7_x64
resource
win7v20201028
submitted
26-11-2020 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Amazon_Gift-Card.579177920.scr
Size

965KB
MD5

33ca3e86d783234092e52369e1b6bb83
SHA1

653ab54e15b01473943cd897ded24f742b0193c5
SHA256

2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b
SHA512

7ddd8dfca491fd272cb1232813e78a0df52983801222b00cc535c1386a411aba30aa2bc720b4d913685f564c2060f8d072c48c31be88753d0924639f8adb632e

Score

10^/10

dridex 10555 botnet evasion loader ransomware

Malware Config

Extracted

Family

dridex

Botnet

10555

194.225.58.216:443

178.254.40.132:691

216.172.165.70:3889

198.57.200.100:3786

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1848-23-0x00000000002A0000-0x00000000002DD000-memory.dmp	dridex_ldr

Executes dropped EXE 1 IoCs

Processes:

extraPFZ.exe

pid process

1096 extraPFZ.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Loads dropped DLL 2 IoCs

Processes:

cmd.exeregsvr32.exe

pid process

1160 cmd.exe
1848 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1992 timeout.exe
1956 timeout.exe
1620 timeout.exe
564 timeout.exe

pid	process
1096	extraPFZ.exe

pid	process
1160	cmd.exe
1848	regsvr32.exe

pid	process
1992	timeout.exe
1956	timeout.exe
1620	timeout.exe
564	timeout.exe

Suspicious use of WriteProcessMemory 77 IoCs

Processes:

Amazon_Gift-Card.579177920.scrWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1068 wrote to memory of 884	1068	Amazon_Gift-Card.579177920.scr	WScript.exe
PID 1068 wrote to memory of 884	1068	Amazon_Gift-Card.579177920.scr	WScript.exe
PID 1068 wrote to memory of 884	1068	Amazon_Gift-Card.579177920.scr	WScript.exe
PID 1068 wrote to memory of 884	1068	Amazon_Gift-Card.579177920.scr	WScript.exe
PID 1068 wrote to memory of 884	1068	Amazon_Gift-Card.579177920.scr	WScript.exe
PID 1068 wrote to memory of 884	1068	Amazon_Gift-Card.579177920.scr	WScript.exe
PID 1068 wrote to memory of 884	1068	Amazon_Gift-Card.579177920.scr	WScript.exe
PID 884 wrote to memory of 1160	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1160	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1160	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1160	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1160	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1160	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 1160	884	WScript.exe	cmd.exe
PID 1160 wrote to memory of 1992	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1992	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1992	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1992	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1992	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1992	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1992	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1096	1160	cmd.exe	extraPFZ.exe
PID 1160 wrote to memory of 1096	1160	cmd.exe	extraPFZ.exe
PID 1160 wrote to memory of 1096	1160	cmd.exe	extraPFZ.exe
PID 1160 wrote to memory of 1096	1160	cmd.exe	extraPFZ.exe
PID 1160 wrote to memory of 1096	1160	cmd.exe	extraPFZ.exe
PID 1160 wrote to memory of 1096	1160	cmd.exe	extraPFZ.exe
PID 1160 wrote to memory of 1096	1160	cmd.exe	extraPFZ.exe
PID 1160 wrote to memory of 1956	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1956	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1956	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1956	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1956	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1956	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1956	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 936	1160	cmd.exe	WScript.exe
PID 1160 wrote to memory of 936	1160	cmd.exe	WScript.exe
PID 1160 wrote to memory of 936	1160	cmd.exe	WScript.exe
PID 1160 wrote to memory of 936	1160	cmd.exe	WScript.exe
PID 1160 wrote to memory of 936	1160	cmd.exe	WScript.exe
PID 1160 wrote to memory of 936	1160	cmd.exe	WScript.exe
PID 1160 wrote to memory of 936	1160	cmd.exe	WScript.exe
PID 1160 wrote to memory of 1620	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1620	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1620	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1620	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1620	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1620	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1620	1160	cmd.exe	timeout.exe
PID 936 wrote to memory of 820	936	WScript.exe	cmd.exe
PID 936 wrote to memory of 820	936	WScript.exe	cmd.exe
PID 936 wrote to memory of 820	936	WScript.exe	cmd.exe
PID 936 wrote to memory of 820	936	WScript.exe	cmd.exe
PID 936 wrote to memory of 820	936	WScript.exe	cmd.exe
PID 936 wrote to memory of 820	936	WScript.exe	cmd.exe
PID 936 wrote to memory of 820	936	WScript.exe	cmd.exe
PID 820 wrote to memory of 1496	820	cmd.exe	attrib.exe
PID 820 wrote to memory of 1496	820	cmd.exe	attrib.exe
PID 820 wrote to memory of 1496	820	cmd.exe	attrib.exe
PID 820 wrote to memory of 1496	820	cmd.exe	attrib.exe
PID 820 wrote to memory of 1496	820	cmd.exe	attrib.exe
PID 820 wrote to memory of 1496	820	cmd.exe	attrib.exe
PID 820 wrote to memory of 1496	820	cmd.exe	attrib.exe
PID 820 wrote to memory of 564	820	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1496 attrib.exe

pid	process
1496	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Amazon_Gift-Card.579177920.scr
"C:\Users\Admin\AppData\Local\Temp\Amazon_Gift-Card.579177920.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Video\config\svideo.vbs" /f=CREATE_NO_WINDOW install.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Video\config\elp.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1992

C:\Video\config\extraPFZ.exe
"extraPFZ.exe" e -pVursion cvn5869508.rar
4⤵
- Executes dropped EXE
PID:1096

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:1956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Video\config\chinatown.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Video\config\7p.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Video"
6⤵
- Views/modifies file attributes
PID:1496

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:564

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -s pzxrk4325.dll
6⤵
- Loads dropped DLL
PID:1848

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Video\config\7p.bat
MD5
e94a811e7efd1d3615123b7642472d0a

SHA1
88b985970ad4a3b9da13262e47f7211d535c8738

SHA256
318e6fec79a00bac1f3e14b21aac6a9e6df11290ece1f57011e755c077cfc83c

SHA512
eb58d58103a8eb7989a4ecb245889eae1e179cf1cc17f2a07901edb00e3b727a309b1c1569ef680f51c998016829c764d1fe35b193a647d5fece4c24c8c14387

Download Submit
C:\Video\config\chinatown.vbs
MD5
e36f6c0eb7c04e04074230bb5c0d2683

SHA1
a48a3a27a6746c1ce5417bb77e9a792642a9c6eb

SHA256
7e87a583d7ce276cf430bb9eeab7ff48e34b1b8413bae3cadbef47884ae9521f

SHA512
daa2fb0c0a0bf3604eb9e929b45723d1bf6474a6f82cbea971bf9015730801e1a844afd8e87bf2a71952491bdbd3aecd097da7ad9581bfbc29da4486f48e8182

Download Submit
C:\Video\config\elp.bat
MD5
413bfe1c6c922e4d55d1572bfd8979c0

SHA1
d998b64917159bc30b816d28ee78794067d92637

SHA256
07c5e188ceca4bcd4d0ec7757ff03359402b0902bfe7ffe851fe81552f467153

SHA512
b31683c8124fb4294756af24186fddbf7f8d516c854df8760eac17d2a8c46b7815c96e015cf6280770f96624ad924de3ecb7203815d87336d838ad59877839db

Download Submit
C:\Video\config\extraPFZ.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\Video\config\extraPFZ.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\Video\config\pzxrk4325.dll
MD5
457a2d0c13db31222c66c3e623d88063

SHA1
15bd1122fe1a910c3b8f255bbe74de5ffed57fd2

SHA256
a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba

SHA512
5eeb2bfcfedd0703134196a3135bba5bbc59d67ab51bc847c837e4243c1c1a7fa1971a5602af5f6d946ef1a0f5c5f5f1f1807fa5e5d6dc723b6d5888336875c3

Download Submit
C:\Video\config\reedmi.cvl
MD5
1659459a93acdd26e1253c3a61d4c306

SHA1
b08003deee9edf383190a5b8e3e1d504487439e3

SHA256
37c2c5cf6587c824ba7670c696220d246d9d1a9f619ff0ddfd1f21ca82a97c5c

SHA512
30aaf65dcc1e2e4be19a2e88a2bd9866bdc7b632142130ee5b1a394cdc3c61d4a1b518d4c05d9bf68931ed90b5bcb1acf0bc16a96c775c368816eb33c6ce2180

Download Submit
C:\Video\config\svideo.vbs
MD5
664af4c8be70de64667d91cf849ab6ea

SHA1
8fa378b5e4320d02b839b63a61350784db0fd41a

SHA256
cb7d3e410617f53d4def0c6093cb53c9c12b0dc9c68344e9caeb5357cfb4a277

SHA512
eb99a1a7cd58865a5fa0e7780ec344d1615570bb6dd68635b2009b2dd4fd0df79145ff63bd682bbb28c0da66d1496834f1b869c270885ab02a55cff5d15540a5

Download Submit
\Video\config\extraPFZ.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
\Video\config\pzxrk4325.dll
MD5
457a2d0c13db31222c66c3e623d88063

SHA1
15bd1122fe1a910c3b8f255bbe74de5ffed57fd2

SHA256
a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba

SHA512
5eeb2bfcfedd0703134196a3135bba5bbc59d67ab51bc847c837e4243c1c1a7fa1971a5602af5f6d946ef1a0f5c5f5f1f1807fa5e5d6dc723b6d5888336875c3

Download Submit
memory/564-19-0x0000000000000000-mapping.dmp

Download
memory/820-16-0x0000000000000000-mapping.dmp

Download
memory/884-0-0x0000000000000000-mapping.dmp

Download
memory/884-4-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download
memory/936-17-0x0000000002940000-0x0000000002944000-memory.dmp

Filesize
16KB

Download
memory/936-13-0x0000000000000000-mapping.dmp

Download
memory/1096-9-0x0000000000000000-mapping.dmp

Download
memory/1160-3-0x0000000000000000-mapping.dmp

Download
memory/1496-18-0x0000000000000000-mapping.dmp

Download
memory/1620-14-0x0000000000000000-mapping.dmp

Download
memory/1764-24-0x000007FEF6460000-0x000007FEF66DA000-memory.dmp

Filesize
2.5MB

Download
memory/1848-20-0x0000000000000000-mapping.dmp

Download
memory/1848-23-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1956-11-0x0000000000000000-mapping.dmp

Download
memory/1992-5-0x0000000000000000-mapping.dmp

Download