dridex | 3843d789fde5df893756d4d17ea8d4d06a184915d3999477bb4dc06ee871c100

General

Target

BItnXySrFeNTtqudIaaoW.rtf.hta
Size

5KB
MD5

173662596f9b5261d1030c562fbfa1cb
SHA1

12346b4dc8a92a25977966a65f82e5fbc181e44a
SHA256

3843d789fde5df893756d4d17ea8d4d06a184915d3999477bb4dc06ee871c100
SHA512

054909a433d2fa855f5dccb705c9d26ed9cb599ecab2dfdb24543fb473385c971d2f8727c394d54eeb638b8bc0bce67eb91e0aab04a4993dfbb4eff295cecf75

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

144.91.122.102:443

85.10.248.28:593

185.4.135.27:5228

80.211.3.13:8116

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 1260 regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1260	regsvr32.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1584-61-0x0000000072780000-0x000000007280C000-memory.dmp	dridex_ldr

Blocklisted process makes network request 2 IoCs

Processes:

mshta.exe

flow pid process

5 1692 mshta.exe
7 1692 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1584 regsvr32.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

flow	pid	process
5	1692	mshta.exe
7	1692	mshta.exe

pid	process
1584	regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	696	wmic.exe
Token: SeSecurityPrivilege	696	wmic.exe
Token: SeTakeOwnershipPrivilege	696	wmic.exe
Token: SeLoadDriverPrivilege	696	wmic.exe
Token: SeSystemProfilePrivilege	696	wmic.exe
Token: SeSystemtimePrivilege	696	wmic.exe
Token: SeProfSingleProcessPrivilege	696	wmic.exe
Token: SeIncBasePriorityPrivilege	696	wmic.exe
Token: SeCreatePagefilePrivilege	696	wmic.exe
Token: SeBackupPrivilege	696	wmic.exe
Token: SeRestorePrivilege	696	wmic.exe
Token: SeShutdownPrivilege	696	wmic.exe
Token: SeDebugPrivilege	696	wmic.exe
Token: SeSystemEnvironmentPrivilege	696	wmic.exe
Token: SeRemoteShutdownPrivilege	696	wmic.exe
Token: SeUndockPrivilege	696	wmic.exe
Token: SeManageVolumePrivilege	696	wmic.exe
Token: 33	696	wmic.exe
Token: 34	696	wmic.exe
Token: 35	696	wmic.exe
Token: SeIncreaseQuotaPrivilege	696	wmic.exe
Token: SeSecurityPrivilege	696	wmic.exe
Token: SeTakeOwnershipPrivilege	696	wmic.exe
Token: SeLoadDriverPrivilege	696	wmic.exe
Token: SeSystemProfilePrivilege	696	wmic.exe
Token: SeSystemtimePrivilege	696	wmic.exe
Token: SeProfSingleProcessPrivilege	696	wmic.exe
Token: SeIncBasePriorityPrivilege	696	wmic.exe
Token: SeCreatePagefilePrivilege	696	wmic.exe
Token: SeBackupPrivilege	696	wmic.exe
Token: SeRestorePrivilege	696	wmic.exe
Token: SeShutdownPrivilege	696	wmic.exe
Token: SeDebugPrivilege	696	wmic.exe
Token: SeSystemEnvironmentPrivilege	696	wmic.exe
Token: SeRemoteShutdownPrivilege	696	wmic.exe
Token: SeUndockPrivilege	696	wmic.exe
Token: SeManageVolumePrivilege	696	wmic.exe
Token: 33	696	wmic.exe
Token: 34	696	wmic.exe
Token: 35	696	wmic.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

mshta.exeregsvr32.exe

description	pid	process	target process
PID 1692 wrote to memory of 696	1692	mshta.exe	wmic.exe
PID 1692 wrote to memory of 696	1692	mshta.exe	wmic.exe
PID 1692 wrote to memory of 696	1692	mshta.exe	wmic.exe
PID 1692 wrote to memory of 696	1692	mshta.exe	wmic.exe
PID 1712 wrote to memory of 1584	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1584	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1584	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1584	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1584	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1584	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 1584	1712	regsvr32.exe	regsvr32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\BItnXySrFeNTtqudIaaoW.rtf.hta"
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process call create "regsvr32.exe -s C:\\ProgramData\bfnigger.bin"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\\ProgramData\bfnigger.bin
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\regsvr32.exe
-s C:\\ProgramData\bfnigger.bin
2⤵
- Loads dropped DLL
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bfnigger.bin
MD5
63c22ce32346e029fa5a1ec1ae619d0f

SHA1
222cf86c3b59f466292bb734be308cda77c3ddff

SHA256
efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda

SHA512
413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a0f3e28d6a00aee6088fd790faf439a2

SHA1
fa2aec2d0930c93d29f6f4cfccc989e1d15885dc

SHA256
f3837690570d63ff2bf243324655affd2567fae7d8a89e81b984328958aa6309

SHA512
a05ad3103e48226f990047854b34fda9380daed6ec8c99aed42fbf81b6a3fd40720bc6320880cb71acb1bfc03e06b58ab5d49dc774981ea9adf63dbaa31fa2a4

Download Submit
\ProgramData\bfnigger.bin
MD5
63c22ce32346e029fa5a1ec1ae619d0f

SHA1
222cf86c3b59f466292bb734be308cda77c3ddff

SHA256
efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda

SHA512
413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4

Download Submit
memory/696-55-0x0000000000000000-mapping.dmp

Download
memory/1584-58-0x0000000000000000-mapping.dmp

Download
memory/1584-59-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1584-61-0x0000000072780000-0x000000007280C000-memory.dmp

Filesize
560KB

Download
memory/1584-63-0x00000000001B0000-0x0000000000230000-memory.dmp

Filesize
512KB

Download
memory/1712-56-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads