Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-05-2021 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecde835ba7193d93f5116151a64ae4a47f21b5e6a5bff2f5ae9967ef907ed6cb.dll

  • Size

    162KB

  • MD5

    3198aa867e74a913749ffdf4e11aee10

  • SHA1

    d130367213644ea574a7ad7b0d543e1e5fb5c35a

  • SHA256

    ecde835ba7193d93f5116151a64ae4a47f21b5e6a5bff2f5ae9967ef907ed6cb

  • SHA512

    055af6f200ad45e5c11fa84c8d639134076381e414d8ef29ec6ea34b042079a7394c849692687f88d55f43f27d78bfbcbcd885f756b9e8b3966385551506a386

Score
10/10
badrabbitdridex40112botnetevasionloaderransomwaretrojan

Malware Config

Extracted

Family

dridex

Botnet

40112

C2

107.172.227.10:443

172.93.133.123:2303

108.168.61.147:8172
rc4.plain
rc4.plain

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecde835ba7193d93f5116151a64ae4a47f21b5e6a5bff2f5ae9967ef907ed6cb.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecde835ba7193d93f5116151a64ae4a47f21b5e6a5bff2f5ae9967ef907ed6cb.dll,#1
      2⤵
      • Checks whether UAC is enabled
      PID:964
  • C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Modifies extensions of user files
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
            PID:2864
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3639060505 && exit"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3639060505 && exit"
            4⤵
            • Creates scheduled task(s)
            PID:4056
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:41:00
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:41:00
            4⤵
            • Creates scheduled task(s)
            PID:3728
        • C:\Windows\C857.tmp
          "C:\Windows\C857.tmp" \\.\pipe\{549FF87C-E091-4ADA-A6BF-6992F19CAAB5}
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3224

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/964-117-0x0000000003360000-0x0000000003366000-memory.dmp

      Filesize

      24KB

      Download

    • memory/964-115-0x0000000073AA0000-0x0000000073ACE000-memory.dmp

      Filesize

      184KB

      Download