dridex | 935dd5f6759b2409a7140432b11595b7585b985836a14637aa3bd208f4f82b32

Target

Document#578743906539.vbs
Size

980KB
MD5

27588243419b10040ea332eed512e18a
SHA1

c26304277f80fdf95db29aa700a01d650c5f2ed3
SHA256

76d804d87108c6997469997da29236b271519362fe9f7e518a25a102835a7e06
SHA512

3f947d749bc42851cc79e81ca568e5e2ea996c5fc30c24958584f80305fdb72eae5f1f050a347d08758b79f6a9717439bc75c69e64ed198609c713dd1f392412

Score

10^/10

dridex 10555 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10555

38.88.126.131:443

145.239.169.32:8443

163.172.7.152:443

45.79.135.98:691

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1408-11-0x0000000074180000-0x00000000741AB000-memory.dmp	dridex_ldr
behavioral1/memory/1408-10-0x0000000074180000-0x00000000741AB000-memory.dmp	dridex_ldr

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1408 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

1212 regsvr32.exe

pid	process
1408	regsvr32.exe

pid	process
1212	regsvr32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.exeregsvr32.exe

description	pid	process	target process
PID 1064 wrote to memory of 2012	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 2012	1064	WScript.exe	cmd.exe
PID 1064 wrote to memory of 2012	1064	WScript.exe	cmd.exe
PID 2012 wrote to memory of 1212	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 1212	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 1212	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 1212	2012	cmd.exe	regsvr32.exe
PID 2012 wrote to memory of 1212	2012	cmd.exe	regsvr32.exe
PID 1212 wrote to memory of 1408	1212	regsvr32.exe	regsvr32.exe
PID 1212 wrote to memory of 1408	1212	regsvr32.exe	regsvr32.exe
PID 1212 wrote to memory of 1408	1212	regsvr32.exe	regsvr32.exe
PID 1212 wrote to memory of 1408	1212	regsvr32.exe	regsvr32.exe
PID 1212 wrote to memory of 1408	1212	regsvr32.exe	regsvr32.exe
PID 1212 wrote to memory of 1408	1212	regsvr32.exe	regsvr32.exe
PID 1212 wrote to memory of 1408	1212	regsvr32.exe	regsvr32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document#578743906539.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c kokoko%random%kokkook & R^eGsv^r32 -s C:\ProgramData\gugbqW.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\regsvr32.exe
ReGsvr32 -s C:\ProgramData\gugbqW.dll
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\regsvr32.exe
-s C:\ProgramData\gugbqW.dll
4⤵
- Loads dropped DLL
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gugbqW.dll
MD5
034a591440ae6a27f9e4a59a4efa9b17

SHA1
2b67765db136e1f778d7cc1fb52baf838faf4be4

SHA256
8d5e06e113548dbb45298bc43d97b64129f97be3c97b62778bbc34f149ad9fd9

SHA512
37747d339fda855991571243b32371c233b0d5b4fba7b6851c56a1307edc993d06d7079b9da8b141f475d9abb917a090c243656b17643f830ec39edc4114be71

Download Submit
\ProgramData\gugbqW.dll
MD5
034a591440ae6a27f9e4a59a4efa9b17

SHA1
2b67765db136e1f778d7cc1fb52baf838faf4be4

SHA256
8d5e06e113548dbb45298bc43d97b64129f97be3c97b62778bbc34f149ad9fd9

SHA512
37747d339fda855991571243b32371c233b0d5b4fba7b6851c56a1307edc993d06d7079b9da8b141f475d9abb917a090c243656b17643f830ec39edc4114be71

Download Submit
memory/1064-9-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/1212-3-0x0000000000000000-mapping.dmp

Download
memory/1212-4-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/1408-6-0x0000000000000000-mapping.dmp

Download
memory/1408-7-0x0000000076101000-0x0000000076103000-memory.dmp

Filesize
8KB

Download
memory/1408-11-0x0000000074180000-0x00000000741AB000-memory.dmp

Filesize
172KB

Download
memory/1408-10-0x0000000074180000-0x00000000741AB000-memory.dmp

Filesize
172KB

Download
memory/1408-12-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1520-13-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp

Filesize
2.5MB

Download
memory/2012-2-0x0000000000000000-mapping.dmp

Download