Analysis

  • max time kernel
    26s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-06-2021 01:54

General

  • Target

    7a5a9870c47ecedf663f5c9ae432604c7443f0ff5cc4ea422c08e9c329964a2f.dll

  • Size

    162KB

  • MD5

    bd6036fd3bbf3cab6b95966c3fbacd26

  • SHA1

    c01cee3ba04514b40068747a502d6217294dded0

  • SHA256

    7a5a9870c47ecedf663f5c9ae432604c7443f0ff5cc4ea422c08e9c329964a2f

  • SHA512

    2e9f3d07be0469806738d2648d2fe47217d5d3d6a66cead363884e97afb3b781aaea3bec3dc9df11715e856270b94348ab2b77f0cf86a68df6b124556757a7c4

Malware Config

Extracted

Family

dridex

Botnet

40112

C2

107.172.227.10:443

172.93.133.123:2303

108.168.61.147:8172

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a5a9870c47ecedf663f5c9ae432604c7443f0ff5cc4ea422c08e9c329964a2f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a5a9870c47ecedf663f5c9ae432604c7443f0ff5cc4ea422c08e9c329964a2f.dll,#1
      2⤵
      • Checks whether UAC is enabled
      PID:1628

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1628-114-0x0000000000000000-mapping.dmp

  • memory/1628-115-0x00000000008D0000-0x00000000008D6000-memory.dmp

    Filesize

    24KB

  • memory/1628-116-0x0000000073560000-0x000000007358E000-memory.dmp

    Filesize

    184KB