dridex | 3843d789fde5df893756d4d17ea8d4d06a184915d3999477bb4dc06ee871c100

General

Target

BItnXySrFeNTtqudIaaoW.rtf.hta
Size

5KB
MD5

173662596f9b5261d1030c562fbfa1cb
SHA1

12346b4dc8a92a25977966a65f82e5fbc181e44a
SHA256

3843d789fde5df893756d4d17ea8d4d06a184915d3999477bb4dc06ee871c100
SHA512

054909a433d2fa855f5dccb705c9d26ed9cb599ecab2dfdb24543fb473385c971d2f8727c394d54eeb638b8bc0bce67eb91e0aab04a4993dfbb4eff295cecf75

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

144.91.122.102:443

85.10.248.28:593

185.4.135.27:5228

80.211.3.13:8116

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 4344 regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4344	regsvr32.exe

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/4436-119-0x0000000070080000-0x000000007010C000-memory.dmp	dridex_ldr

Blocklisted process makes network request 2 IoCs

Processes:

mshta.exe

flow pid process

9 3664 mshta.exe
11 3664 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4436 regsvr32.exe

flow	pid	process
9	3664	mshta.exe
11	3664	mshta.exe

pid	process
4436	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4044	wmic.exe
Token: SeSecurityPrivilege	4044	wmic.exe
Token: SeTakeOwnershipPrivilege	4044	wmic.exe
Token: SeLoadDriverPrivilege	4044	wmic.exe
Token: SeSystemProfilePrivilege	4044	wmic.exe
Token: SeSystemtimePrivilege	4044	wmic.exe
Token: SeProfSingleProcessPrivilege	4044	wmic.exe
Token: SeIncBasePriorityPrivilege	4044	wmic.exe
Token: SeCreatePagefilePrivilege	4044	wmic.exe
Token: SeBackupPrivilege	4044	wmic.exe
Token: SeRestorePrivilege	4044	wmic.exe
Token: SeShutdownPrivilege	4044	wmic.exe
Token: SeDebugPrivilege	4044	wmic.exe
Token: SeSystemEnvironmentPrivilege	4044	wmic.exe
Token: SeRemoteShutdownPrivilege	4044	wmic.exe
Token: SeUndockPrivilege	4044	wmic.exe
Token: SeManageVolumePrivilege	4044	wmic.exe
Token: 33	4044	wmic.exe
Token: 34	4044	wmic.exe
Token: 35	4044	wmic.exe
Token: 36	4044	wmic.exe
Token: SeIncreaseQuotaPrivilege	4044	wmic.exe
Token: SeSecurityPrivilege	4044	wmic.exe
Token: SeTakeOwnershipPrivilege	4044	wmic.exe
Token: SeLoadDriverPrivilege	4044	wmic.exe
Token: SeSystemProfilePrivilege	4044	wmic.exe
Token: SeSystemtimePrivilege	4044	wmic.exe
Token: SeProfSingleProcessPrivilege	4044	wmic.exe
Token: SeIncBasePriorityPrivilege	4044	wmic.exe
Token: SeCreatePagefilePrivilege	4044	wmic.exe
Token: SeBackupPrivilege	4044	wmic.exe
Token: SeRestorePrivilege	4044	wmic.exe
Token: SeShutdownPrivilege	4044	wmic.exe
Token: SeDebugPrivilege	4044	wmic.exe
Token: SeSystemEnvironmentPrivilege	4044	wmic.exe
Token: SeRemoteShutdownPrivilege	4044	wmic.exe
Token: SeUndockPrivilege	4044	wmic.exe
Token: SeManageVolumePrivilege	4044	wmic.exe
Token: 33	4044	wmic.exe
Token: 34	4044	wmic.exe
Token: 35	4044	wmic.exe
Token: 36	4044	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

mshta.exeregsvr32.exe

description	pid	process	target process
PID 3664 wrote to memory of 4044	3664	mshta.exe	wmic.exe
PID 3664 wrote to memory of 4044	3664	mshta.exe	wmic.exe
PID 3664 wrote to memory of 4044	3664	mshta.exe	wmic.exe
PID 4468 wrote to memory of 4436	4468	regsvr32.exe	regsvr32.exe
PID 4468 wrote to memory of 4436	4468	regsvr32.exe	regsvr32.exe
PID 4468 wrote to memory of 4436	4468	regsvr32.exe	regsvr32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\BItnXySrFeNTtqudIaaoW.rtf.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process call create "regsvr32.exe -s C:\\ProgramData\bfnigger.bin"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\\ProgramData\bfnigger.bin
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\regsvr32.exe
-s C:\\ProgramData\bfnigger.bin
2⤵
- Loads dropped DLL
PID:4436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bfnigger.bin
MD5
63c22ce32346e029fa5a1ec1ae619d0f

SHA1
222cf86c3b59f466292bb734be308cda77c3ddff

SHA256
efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda

SHA512
413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4

Download Submit
\ProgramData\bfnigger.bin
MD5
63c22ce32346e029fa5a1ec1ae619d0f

SHA1
222cf86c3b59f466292bb734be308cda77c3ddff

SHA256
efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda

SHA512
413efdf48b13d8cd6cb9f799215a7c34588995ba5f48c4db855ad332c3b4b6b7c753ff361d0cd850a728ec68c76b47e96aaac604f3bdb069920d930c422bd0f4

Download Submit
memory/4044-115-0x0000000000000000-mapping.dmp

Download
memory/4436-117-0x0000000000000000-mapping.dmp

Download
memory/4436-119-0x0000000070080000-0x000000007010C000-memory.dmp

Filesize
560KB

Download
memory/4436-121-0x00000000012A0000-0x00000000012A6000-memory.dmp

Filesize
24KB

Download
memory/4436-123-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/4436-122-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/4436-124-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads