Analysis

  • max time kernel
    19s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    29-06-2021 03:34

General

  • Target

    57747280693f23c8aa9104e45132ac5da66f633595592df59c998a75763cc0f2.dll

  • Size

    158KB

  • MD5

    e90a5791423d5b06c16facd89f66354d

  • SHA1

    883fd905134dfdfee04d91a39930e1e4a9f30c29

  • SHA256

    57747280693f23c8aa9104e45132ac5da66f633595592df59c998a75763cc0f2

  • SHA512

    50a4d8f30439a84ae3eee08230421f33816ca7cc2dd0bd7385219fa260baedb12bdf36ab365ace2d470e8a5a8f1f823fa5017edaa0ea9ba89daa5e344fdc2f4c

Malware Config

Extracted

Family

dridex

Botnet

40112

C2

8.210.53.215:443

72.249.22.245:2303

188.40.137.206:8172

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\57747280693f23c8aa9104e45132ac5da66f633595592df59c998a75763cc0f2.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\57747280693f23c8aa9104e45132ac5da66f633595592df59c998a75763cc0f2.dll,#1
      2⤵
      • Checks whether UAC is enabled
      PID:1972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1972-114-0x0000000000000000-mapping.dmp

  • memory/1972-115-0x0000000073660000-0x000000007368D000-memory.dmp

    Filesize

    180KB

  • memory/1972-117-0x0000000002DA0000-0x0000000002DA6000-memory.dmp

    Filesize

    24KB