dridex | 28ce2c4d838a1de5a8bbbd10fc8b7db21c82e306338ed40933f7e107bf2a5b06

Analysis

max time kernel
126s
max time network
120s
platform
windows7_x64
resource
win7-en-20211014
submitted
20-10-2021 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5_SMSvcHost.resources.dll
Size

180KB
MD5

49b0e4b2386c4c7f9b0d3f8748bd34e8
SHA1

9450b46850cc52e1128e34e0639c57ed21034991
SHA256

28ce2c4d838a1de5a8bbbd10fc8b7db21c82e306338ed40933f7e107bf2a5b06
SHA512

501cc133f5c88f2fd450afd74f74c1d50d9da0ce9638e8c0894f7dc89057aacd41d4b3d0f8ebe798295d2cfad63ff5fea1499e4cdde0f523a82bf92e3a408b1e

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

155.138.203.91:443

207.180.220.242:8116

46.101.142.214:6891

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1596-56-0x0000000074C10000-0x0000000074C3F000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

324 1596 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

324 WerFault.exe
324 WerFault.exe
324 WerFault.exe
324 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

324 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 324 WerFault.exe

pid	pid_target	process	target process
324	1596	WerFault.exe	rundll32.exe

pid	process
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe

pid	process
324	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	324	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2016 wrote to memory of 1596	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1596	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1596	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1596	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1596	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1596	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1596	2016	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 324	1596	rundll32.exe	WerFault.exe
PID 1596 wrote to memory of 324	1596	rundll32.exe	WerFault.exe
PID 1596 wrote to memory of 324	1596	rundll32.exe	WerFault.exe
PID 1596 wrote to memory of 324	1596	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5_SMSvcHost.resources.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5_SMSvcHost.resources.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 252
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:324

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-58-0x0000000000000000-mapping.dmp

Download
memory/324-60-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1596-54-0x0000000000000000-mapping.dmp

Download
memory/1596-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1596-56-0x0000000074C10000-0x0000000074C3F000-memory.dmp

Filesize
188KB

Download
memory/1596-59-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download