Analysis

  • max time kernel
    19s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    18-06-2021 17:08

General

  • Target

    /Users/T1658/Documents/Malicious /TEST/148bdfb33c53bce3918e9ae50a562a55.exe.dll

  • Size

    204KB

  • MD5

    e9f989c9e0781492ecd20e8d158017b5

  • SHA1

    3240e212a3baf1948e0833584aee723cc92ae58e

  • SHA256

    1ec0c50a6a88953424432220a872a3b877060534563823bac83a61c624ae1699

  • SHA512

    4ce58ded4b084fd32611a575a30b2381b6f99c37f0694e20632ff7d56da6d8852c8c37fb78dd7c860ac2176ed982713796dd1646300af1ddd8a533d555e27334

Malware Config

Extracted

Family

dridex

Botnet

40111

C2

45.58.56.12:443

162.241.54.59:6601

51.91.76.89:2303

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\payload.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\payload.dll,#1
      2⤵
      • Checks whether UAC is enabled
      PID:1660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1660-114-0x0000000000000000-mapping.dmp

  • memory/1660-115-0x0000000073DD0000-0x0000000073E05000-memory.dmp

    Filesize

    212KB

  • memory/1660-117-0x0000000002DC0000-0x0000000002DC6000-memory.dmp

    Filesize

    24KB