Analysis

  • max time kernel
    47s
  • max time network
    76s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-11-2020 05:13

General

  • Target

    Amazon_eGift-Card_579366314.scr

  • Size

    905KB

  • MD5

    e3c73316a5a270a82f24e56ec0f62e0e

  • SHA1

    a8adc02637c62262e02f0097222cda0cd2aef013

  • SHA256

    ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df

  • SHA512

    b5079ed75843810c30d8c9e947917f9968f3930a7a7ca9b70f0ca22804aa2b29dbeb57c0eee18b94376817949b793ba74a64813fcd52a9e8f30660e4833ea6c5

Malware Config

Extracted

Family

dridex

Botnet

10555

C2

194.225.58.216:443

178.254.40.132:691

216.172.165.70:3889

198.57.200.100:3786

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 4 IoCs
  • Suspicious use of WriteProcessMemory 77 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Amazon_eGift-Card_579366314.scr
    "C:\Users\Admin\AppData\Local\Temp\Amazon_eGift-Card_579366314.scr" /S
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Video\config\svideo.vbs" /f=CREATE_NO_WINDOW install.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Video\config\elp.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1980
        • C:\Video\config\extraPFZ.exe
          "extraPFZ.exe" e -pVursion cvn5869508.rar
          4⤵
          • Executes dropped EXE
          PID:664
        • C:\Windows\SysWOW64\timeout.exe
          timeout 5
          4⤵
          • Delays execution with timeout.exe
          PID:268
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Video\config\chinatown.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Video\config\7p.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1040
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\Video"
              6⤵
              • Views/modifies file attributes
              PID:528
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:612
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32 -s pzxrk4325.dll
              6⤵
              • Loads dropped DLL
              PID:1136
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

2
T1158

Defense Evasion

Hidden Files and Directories

2
T1158

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Video\config\7p.bat
    MD5

    e94a811e7efd1d3615123b7642472d0a

    SHA1

    88b985970ad4a3b9da13262e47f7211d535c8738

    SHA256

    318e6fec79a00bac1f3e14b21aac6a9e6df11290ece1f57011e755c077cfc83c

    SHA512

    eb58d58103a8eb7989a4ecb245889eae1e179cf1cc17f2a07901edb00e3b727a309b1c1569ef680f51c998016829c764d1fe35b193a647d5fece4c24c8c14387

  • C:\Video\config\chinatown.vbs
    MD5

    e36f6c0eb7c04e04074230bb5c0d2683

    SHA1

    a48a3a27a6746c1ce5417bb77e9a792642a9c6eb

    SHA256

    7e87a583d7ce276cf430bb9eeab7ff48e34b1b8413bae3cadbef47884ae9521f

    SHA512

    daa2fb0c0a0bf3604eb9e929b45723d1bf6474a6f82cbea971bf9015730801e1a844afd8e87bf2a71952491bdbd3aecd097da7ad9581bfbc29da4486f48e8182

  • C:\Video\config\elp.bat
    MD5

    413bfe1c6c922e4d55d1572bfd8979c0

    SHA1

    d998b64917159bc30b816d28ee78794067d92637

    SHA256

    07c5e188ceca4bcd4d0ec7757ff03359402b0902bfe7ffe851fe81552f467153

    SHA512

    b31683c8124fb4294756af24186fddbf7f8d516c854df8760eac17d2a8c46b7815c96e015cf6280770f96624ad924de3ecb7203815d87336d838ad59877839db

  • C:\Video\config\extraPFZ.exe
    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • C:\Video\config\extraPFZ.exe
    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • C:\Video\config\pzxrk4325.dll
    MD5

    457a2d0c13db31222c66c3e623d88063

    SHA1

    15bd1122fe1a910c3b8f255bbe74de5ffed57fd2

    SHA256

    a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba

    SHA512

    5eeb2bfcfedd0703134196a3135bba5bbc59d67ab51bc847c837e4243c1c1a7fa1971a5602af5f6d946ef1a0f5c5f5f1f1807fa5e5d6dc723b6d5888336875c3

  • C:\Video\config\reedmi.cvl
    MD5

    1659459a93acdd26e1253c3a61d4c306

    SHA1

    b08003deee9edf383190a5b8e3e1d504487439e3

    SHA256

    37c2c5cf6587c824ba7670c696220d246d9d1a9f619ff0ddfd1f21ca82a97c5c

    SHA512

    30aaf65dcc1e2e4be19a2e88a2bd9866bdc7b632142130ee5b1a394cdc3c61d4a1b518d4c05d9bf68931ed90b5bcb1acf0bc16a96c775c368816eb33c6ce2180

  • C:\Video\config\svideo.vbs
    MD5

    664af4c8be70de64667d91cf849ab6ea

    SHA1

    8fa378b5e4320d02b839b63a61350784db0fd41a

    SHA256

    cb7d3e410617f53d4def0c6093cb53c9c12b0dc9c68344e9caeb5357cfb4a277

    SHA512

    eb99a1a7cd58865a5fa0e7780ec344d1615570bb6dd68635b2009b2dd4fd0df79145ff63bd682bbb28c0da66d1496834f1b869c270885ab02a55cff5d15540a5

  • \Video\config\extraPFZ.exe
    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • \Video\config\pzxrk4325.dll
    MD5

    457a2d0c13db31222c66c3e623d88063

    SHA1

    15bd1122fe1a910c3b8f255bbe74de5ffed57fd2

    SHA256

    a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba

    SHA512

    5eeb2bfcfedd0703134196a3135bba5bbc59d67ab51bc847c837e4243c1c1a7fa1971a5602af5f6d946ef1a0f5c5f5f1f1807fa5e5d6dc723b6d5888336875c3

  • memory/268-11-0x0000000000000000-mapping.dmp
  • memory/528-18-0x0000000000000000-mapping.dmp
  • memory/612-19-0x0000000000000000-mapping.dmp
  • memory/664-9-0x0000000000000000-mapping.dmp
  • memory/1040-16-0x0000000000000000-mapping.dmp
  • memory/1124-3-0x0000000000000000-mapping.dmp
  • memory/1136-20-0x0000000000000000-mapping.dmp
  • memory/1136-23-0x0000000001E80000-0x0000000001EBD000-memory.dmp
    Filesize

    244KB

  • memory/1184-14-0x0000000000000000-mapping.dmp
  • memory/1568-4-0x0000000002820000-0x0000000002824000-memory.dmp
    Filesize

    16KB

  • memory/1568-0-0x0000000000000000-mapping.dmp
  • memory/1752-13-0x0000000000000000-mapping.dmp
  • memory/1752-17-0x00000000027E0000-0x00000000027E4000-memory.dmp
    Filesize

    16KB

  • memory/1764-24-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp
    Filesize

    2.5MB

  • memory/1980-5-0x0000000000000000-mapping.dmp