dridex | 6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699

Analysis

max time kernel
122s
max time network
123s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-12-2021 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699.dll
Size

552KB
MD5

3e7d095ad538d8c095d8009df9f688c5
SHA1

ae102343271f19472f262df1e26e16e2b8b7f26d
SHA256

6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699
SHA512

7a7b33dd102b49b3561899d2b503a14a4e17c6a7df62e7883ddcafb173c0e9aa934e23fd5dfb3de6a4555d200f7a67473ff86ec3737d0f4fc76ec10a9b82d417

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

144.91.122.102:443

85.10.248.28:593

185.4.135.27:5228

80.211.3.13:8116

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/3764-116-0x0000000074240000-0x00000000742CC000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3888 3764 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3888	3764	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3888 WerFault.exe
Token: SeBackupPrivilege 3888 WerFault.exe
Token: SeDebugPrivilege 3888 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3888	WerFault.exe
Token: SeBackupPrivilege	3888	WerFault.exe
Token: SeDebugPrivilege	3888	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3488 wrote to memory of 3764	3488	rundll32.exe	rundll32.exe
PID 3488 wrote to memory of 3764	3488	rundll32.exe	rundll32.exe
PID 3488 wrote to memory of 3764	3488	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699.dll,#1
2⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 628
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3764-115-0x0000000000000000-mapping.dmp

Download
memory/3764-116-0x0000000074240000-0x00000000742CC000-memory.dmp

Filesize
560KB

Download
memory/3764-118-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download