dridex | 6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602

Analysis

max time kernel
25s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
10-08-2021 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602.dll
Size

184KB
MD5

af9649c78f01c1f66ed3bd168a9f0706
SHA1

7d0a50042d24497680bbbb80e2f15bcda4eb834f
SHA256

6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602
SHA512

9c27f47ae305c9174df8c0f5a8aaf19aad8e904d619870e266cb356bdc933ada441230e419ecd5f8eacadfdf3b8aa2ec3e568850cc36d7ec4b45ce2c63d7da86

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.75.201.2:443

158.223.1.108:6225

165.22.28.242:4664

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/4024-115-0x0000000073990000-0x00000000739C0000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2268 4024 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2268	4024	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2268 WerFault.exe
Token: SeBackupPrivilege 2268 WerFault.exe
Token: SeDebugPrivilege 2268 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2268	WerFault.exe
Token: SeBackupPrivilege	2268	WerFault.exe
Token: SeDebugPrivilege	2268	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3128 wrote to memory of 4024	3128	rundll32.exe	rundll32.exe
PID 3128 wrote to memory of 4024	3128	rundll32.exe	rundll32.exe
PID 3128 wrote to memory of 4024	3128	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602.dll,#1
2⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 620
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4024-114-0x0000000000000000-mapping.dmp

Download
memory/4024-115-0x0000000073990000-0x00000000739C0000-memory.dmp

Filesize
192KB

Download
memory/4024-117-0x0000000002B20000-0x0000000002C6A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads