cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0

General
Target

cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0.dll

Filesize

196KB

Completed

04-03-2021 22:07

Score
10 /10
MD5

dd76f4cb0ba5e0b4bbbce3e1039631dc

SHA1

390b2c808937b4bf28c7d3589737b95f6a9030c8

SHA256

cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0

Malware Config

Extracted

Family dridex
Botnet 111
C2

37.247.35.132:443

50.243.30.51:6601

162.241.204.234:6516

rc4.plain
rc4.plain
Signatures 6

Filter: none

Discovery
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1812-4-0x00000000746D0000-0x0000000074703000-memory.dmpdridex_ldr
    behavioral1/memory/1812-6-0x00000000746D0000-0x00000000746EF000-memory.dmpdridex_ldr
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    51812rundll32.exe
    71812rundll32.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled
    rundll32.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1044 wrote to memory of 18121044rundll32.exerundll32.exe
    PID 1044 wrote to memory of 18121044rundll32.exerundll32.exe
    PID 1044 wrote to memory of 18121044rundll32.exerundll32.exe
    PID 1044 wrote to memory of 18121044rundll32.exerundll32.exe
    PID 1044 wrote to memory of 18121044rundll32.exerundll32.exe
    PID 1044 wrote to memory of 18121044rundll32.exerundll32.exe
    PID 1044 wrote to memory of 18121044rundll32.exerundll32.exe
Processes 2
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0.dll,#1
      Blocklisted process makes network request
      Checks whether UAC is enabled
      PID:1812
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1616-7-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

                        • memory/1812-2-0x0000000000000000-mapping.dmp

                        • memory/1812-3-0x00000000760A1000-0x00000000760A3000-memory.dmp

                        • memory/1812-4-0x00000000746D0000-0x0000000074703000-memory.dmp

                        • memory/1812-5-0x0000000000120000-0x0000000000126000-memory.dmp

                        • memory/1812-6-0x00000000746D0000-0x00000000746EF000-memory.dmp