Analysis
-
max time kernel
18s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:35
General
-
Target
cbf8be917b0c7dae7e83cde3a781e8074022cc6dfa059d87c96895992b74736b.dll
-
Size
174KB
-
MD5
2b93de9fb6b448ee31455917281973ab
-
SHA1
774db59d3d816d968d9f5669f03076bb90bffc6f
-
SHA256
cbf8be917b0c7dae7e83cde3a781e8074022cc6dfa059d87c96895992b74736b
-
SHA512
f657cd36872c39d3e48b3724e6332f7c0b28e19a550f747d552ba2e4aad8bb76ba6b61a77aae0baa27cc7adb46ea0157b98bdb88be4fece3c2db8f147df25d06
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cbf8be917b0c7dae7e83cde3a781e8074022cc6dfa059d87c96895992b74736b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cbf8be917b0c7dae7e83cde3a781e8074022cc6dfa059d87c96895992b74736b.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3452-114-0x0000000000000000-mapping.dmp
-
memory/3452-115-0x00000000742E0000-0x0000000074310000-memory.dmpFilesize
192KB
-
memory/3452-117-0x0000000003370000-0x0000000003376000-memory.dmpFilesize
24KB