dridex | 584535560c1edb7f31466ce2efacf0cd4ca94cb91929aaf08f22ac530071f88e

Analysis

max time kernel
122s
max time network
220s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5_netplwiz.dll
Size

180KB
MD5

766cbe3c26ced2d55252490f519ff4fa
SHA1

a31074006b5aca4e681cd72fd0055bff85c584b2
SHA256

b34a364fca951188246775346510738b9ac99cc01976e916b1095a6a4f97bbe3
SHA512

c78114cb47d1533de96eba4c6c98534d370e46b34c188b28e2c24a073855f90557d6790b3dda6f11b00961b9be5e09126216995e3bea8be7e86b441b72526f40

Score

10^/10

dridex 22202 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22202

155.138.203.91:443

207.180.220.242:8116

46.101.142.214:6891

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/2788-116-0x0000000073530000-0x000000007355F000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2176 2788 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2176	2788	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe
2176	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2176 WerFault.exe
Token: SeBackupPrivilege 2176 WerFault.exe
Token: SeDebugPrivilege 2176 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2176	WerFault.exe
Token: SeBackupPrivilege	2176	WerFault.exe
Token: SeDebugPrivilege	2176	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1808 wrote to memory of 2788	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 2788	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 2788	1808	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5_netplwiz.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5_netplwiz.dll,#1
2⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 628
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2788-115-0x0000000000000000-mapping.dmp

Download
memory/2788-116-0x0000000073530000-0x000000007355F000-memory.dmp

Filesize
188KB

Download
memory/2788-118-0x0000000003050000-0x0000000003056000-memory.dmp

Filesize
24KB

Download