Analysis

  • max time kernel
    19s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    22-06-2021 03:59

General

  • Target

    a9372002533b9473b3ebcfe06f7359b1a3c1e9d7398079f29595e4e50017e127.dll

  • Size

    162KB

  • MD5

    16ac64e5a06a38269788563018a21d7a

  • SHA1

    2f65e814aa13c6db1a6f789cbda654042ef2863e

  • SHA256

    a9372002533b9473b3ebcfe06f7359b1a3c1e9d7398079f29595e4e50017e127

  • SHA512

    e2e7f5e151aea14398302d911b208b4de258ee120bf5b8ba7b992c9016c9ebdf4e563c7194aaa10d8ba0fe7d433385d9ca5d98c00a4602c1b08c523acab1a0c4

Malware Config

Extracted

Family

dridex

Botnet

40112

C2

107.172.227.10:443

172.93.133.123:2303

108.168.61.147:8172

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9372002533b9473b3ebcfe06f7359b1a3c1e9d7398079f29595e4e50017e127.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9372002533b9473b3ebcfe06f7359b1a3c1e9d7398079f29595e4e50017e127.dll,#1
      2⤵
      • Checks whether UAC is enabled
      PID:3176

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3176-115-0x00000000736D0000-0x00000000736FE000-memory.dmp

    Filesize

    184KB

  • memory/3176-117-0x0000000001010000-0x0000000001016000-memory.dmp

    Filesize

    24KB