Analysis
-
max time kernel
24s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:36
General
-
Target
cef9b2939def86257411f5ddfd01e33daf3b4a28c84e2ebf22279c19904f9bf5.dll
-
Size
170KB
-
MD5
4958ba79c4b23425969558db6d01e600
-
SHA1
c5fb5156c9131306284b66b56779c3bf37252faa
-
SHA256
cef9b2939def86257411f5ddfd01e33daf3b4a28c84e2ebf22279c19904f9bf5
-
SHA512
f862a50992024571f002ce15fd9ba6f1914eb25f45b5f5734dc656485e77e4b2364410eb5fe081e89c925d1705ba16f51e12ef7046780f9d869734a2f7960ffc
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cef9b2939def86257411f5ddfd01e33daf3b4a28c84e2ebf22279c19904f9bf5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cef9b2939def86257411f5ddfd01e33daf3b4a28c84e2ebf22279c19904f9bf5.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-114-0x0000000000000000-mapping.dmp
-
memory/1044-115-0x00000000736D0000-0x00000000736FF000-memory.dmpFilesize
188KB
-
memory/1044-117-0x00000000009F0000-0x00000000009F6000-memory.dmpFilesize
24KB