dridex | 48bcae0537f84736120735b1c6da0d8f3d8c2a1b959f0f50f5fa34b1e317401f

Analysis

max time kernel
896s
max time network
1220s
platform
windows10_x64
resource
win10-en-20211014
submitted
20-10-2021 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xnma.exe
Size

272KB
MD5

a6a1cd721b167906fc93aaed78b9e269
SHA1

26b3044bf37d97dd73b7f8a50aa96a45b03db561
SHA256

48bcae0537f84736120735b1c6da0d8f3d8c2a1b959f0f50f5fa34b1e317401f
SHA512

ea61285736545f50dffd31ffd51d6cb870f2cc737ec82628e0f51e2bc02ef33b967e4c48296fee5ffc7e89c2f9fa7f7b9fad92a30683cfc8edf039491adc46aa

Score

10^/10

dridex botnet discovery evasion loader trojan

Malware Config

Extracted

Family

dridex

46.105.131.86:443

5.39.91.110:691

5.133.242.156:170

64.22.124.239:691

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2596-116-0x0000000000400000-0x0000000000463000-memory.dmp	dridex_ldr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

xnma.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xnma.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xnma.exe

pid process

2596 xnma.exe
2596 xnma.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xnma.exe

description pid process

Token: SeDebugPrivilege 2596 xnma.exe
Token: SeTcbPrivilege 2596 xnma.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xnma.exe

pid	process
2596	xnma.exe
2596	xnma.exe

description	pid	process
Token: SeDebugPrivilege	2596	xnma.exe
Token: SeTcbPrivilege	2596	xnma.exe

C:\Users\Admin\AppData\Local\Temp\xnma.exe
"C:\Users\Admin\AppData\Local\Temp\xnma.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-116-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download