Analysis
-
max time kernel
25s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 02:31
General
-
Target
c8de12ff4039f6b8e29b787335d0d0bcce9778f129551eb8cf489b809815e08a.dll
-
Size
170KB
-
MD5
8955b4fb082a3e3a0abb982244b754eb
-
SHA1
c08e1c1f8a895352ebc292ba8ba8c929157fdbe5
-
SHA256
c8de12ff4039f6b8e29b787335d0d0bcce9778f129551eb8cf489b809815e08a
-
SHA512
b09d4fd0c571e17962539f0f26d3ea518d1005217599b912620b1859844a2f8436319edc0b65c278bc4fc749ace46891ff673cc9162d459768baeac7553d01f7
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8de12ff4039f6b8e29b787335d0d0bcce9778f129551eb8cf489b809815e08a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8de12ff4039f6b8e29b787335d0d0bcce9778f129551eb8cf489b809815e08a.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-114-0x0000000000000000-mapping.dmp
-
memory/1032-115-0x0000000074440000-0x000000007446F000-memory.dmpFilesize
188KB
-
memory/1032-117-0x0000000004E50000-0x0000000004E73000-memory.dmpFilesize
140KB