Analysis
-
max time kernel
18s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:41
General
-
Target
2ce9ea3c8aee379c5ea085a32452ec00cf52d87c0333e86e069c34f3aaefabdd.dll
-
Size
170KB
-
MD5
fa38d64ccd1d36e1062f3b8adc84f3f0
-
SHA1
2b18585faa29ea574ea4bb354929c3fc2df093cb
-
SHA256
2ce9ea3c8aee379c5ea085a32452ec00cf52d87c0333e86e069c34f3aaefabdd
-
SHA512
7d525c28474699f4fdcba1ce7262c19f62e9b9efd82710e7fdeb174161e54f54105da769e33b2ebbbd8aa479cc9487f743e1ceeb65a3af4c5a407f275f5d996a
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ce9ea3c8aee379c5ea085a32452ec00cf52d87c0333e86e069c34f3aaefabdd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ce9ea3c8aee379c5ea085a32452ec00cf52d87c0333e86e069c34f3aaefabdd.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 6563⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4468-114-0x0000000000000000-mapping.dmp
-
memory/4468-115-0x0000000074290000-0x00000000742BF000-memory.dmpFilesize
188KB
-
memory/4468-117-0x0000000000F90000-0x0000000000F96000-memory.dmpFilesize
24KB