dridex | 7f62e9d0e2cb7358202052b4b20f43cec7eed7db11c57cfb372f8fddfb9307a3

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-en-20211208
submitted
23-12-2021 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

triage_dropped_file.dll
Size

552KB
MD5

7d424a845f21f905b17fb1e4ece26bc4
SHA1

129162c17505204008b8c6345f78d8bd8e9d9548
SHA256

7f62e9d0e2cb7358202052b4b20f43cec7eed7db11c57cfb372f8fddfb9307a3
SHA512

abc7141739ffb23ba3e982796e697e33a5c3108fa7910cf97ca4fc6a1e9dbdadbd10b27665da4829f753794df3f0d2a79adfc9aee91863d60ec70042309bc6a6

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

144.91.122.102:443

85.10.248.28:593

185.4.135.27:5228

80.211.3.13:8116

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/956-55-0x0000000075480000-0x000000007550C000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1608 956 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1608 WerFault.exe
1608 WerFault.exe
1608 WerFault.exe
1608 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1608 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1608 WerFault.exe

pid	pid_target	process	target process
1608	956	WerFault.exe	rundll32.exe

pid	process
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe

pid	process
1608	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1608	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 804 wrote to memory of 956	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 956	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 956	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 956	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 956	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 956	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 956	804	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1608	956	rundll32.exe	WerFault.exe
PID 956 wrote to memory of 1608	956	rundll32.exe	WerFault.exe
PID 956 wrote to memory of 1608	956	rundll32.exe	WerFault.exe
PID 956 wrote to memory of 1608	956	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 224
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1608

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-53-0x0000000000000000-mapping.dmp

Download
memory/956-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/956-55-0x0000000075480000-0x000000007550C000-memory.dmp

Filesize
560KB

Download
memory/956-59-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/1608-57-0x0000000000000000-mapping.dmp

Download
memory/1608-60-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download