dridex | bee7050122d0f8521a11ee7f2e63c70007b217b7558a49629f7a6450a447b74a

Analysis

max time kernel
98s
max time network
12s
platform
windows7_x64
resource
win7-en-20210920
submitted
13-10-2021 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2_kbd101c.dll
Size

180KB
MD5

13607671c64e6859be1f83fb324344f9
SHA1

6ef50dbb7dff8dd9e860fd1c5b36a4f3df1c2863
SHA256

b8e4c68f8843fe8f2f12d5cc636c824a338ddaa24feee9e9e5e380169b07b231
SHA512

4f466b28d492ef583c2a35998eeaf8645b4afe50fc47aa93de6e8b5a504f420b4ba90e2c0be47469135031f43f79aeb3cbd7662eb5b096385be903724bae4bd7

Score

10^/10

dridex 22202 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22202

178.62.205.130:443

45.90.108.123:13786

198.199.98.78:9217

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1620-56-0x0000000075330000-0x000000007535F000-memory.dmp	dridex_ldr
behavioral1/memory/864-60-0x00000000002A0000-0x0000000000300000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

864 1620 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

864 WerFault.exe
864 WerFault.exe
864 WerFault.exe
864 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 864 WerFault.exe

pid	pid_target	process	target process
864	1620	WerFault.exe	rundll32.exe

pid	process
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	864	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1520 wrote to memory of 1620	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1620	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1620	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1620	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1620	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1620	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1620	1520	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 864	1620	rundll32.exe	WerFault.exe
PID 1620 wrote to memory of 864	1620	rundll32.exe	WerFault.exe
PID 1620 wrote to memory of 864	1620	rundll32.exe	WerFault.exe
PID 1620 wrote to memory of 864	1620	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2_kbd101c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2_kbd101c.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 252
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-59-0x0000000000000000-mapping.dmp

Download
memory/864-60-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1620-54-0x0000000000000000-mapping.dmp

Download
memory/1620-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1620-56-0x0000000075330000-0x000000007535F000-memory.dmp

Filesize
188KB

Download
memory/1620-58-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download