dridex | d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3

General

Target

d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3.dll
Size

355KB
MD5

f45d3e9f068eed28b41490774a7857e7
SHA1

d071a9ff48a7172081c3f89d0d5ae4016a523cf9
SHA256

d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3
SHA512

3f005cada6a051500688164ff1f5c5b6043b5e402fbb969d7993f75b89ac26a55fa7bc0c9c60f0a077b9d7bade38b8d12e77529566acb3267cc69b64880d0f19

Score

10^/10

dridex 10555 botnet

Malware Config

Extracted

Family

dridex

Botnet

10555

C2

175.126.167.148:443

173.249.20.233:8043

162.241.204.233:4443

138.122.143.40:8043

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000cd8753b4cbd43424af72b0e5c07c345343879a83ecd3927183864654dec5ee79000000000e80000000020000200000009cd10d7eb61ceb87e56ca3948d82bfd65de9f68cff5fea0e2bea5a0990999157100d0000aa5afcdcf57ed70378735a70eaba96e8ab681f8fd88cf0f17f343d8f530136cdc16a17f4d77d745704d192bc8c07a22dedb05b289a13c032714369881261741be2c8784ac1151a14b59ca14b92bfd98ad4ecdffd32ce548687302552354b7b3be05cb1ad0d592153221d8d26a815222c6e4a146d1ce841ec0525536d79e593451e442f79717320927f0d78d5ba6931c79623be4cd559e4b3562f2beda7fbc5b8a2f519c1e592261ca223938ae4ec26c2766419a04c6a103f4eaa80a016ad5502a544f8ecec6acc9c8ce31b6347638534d7426700c0399a6f8c9dfbe7ab6462615c3d5dd2236063ace3f5c9685afb3156136f7590c7552b4909e7fe109b4aeeec009fdea8d911c62353b7f6c55d10548c6bd0aafbd13671cce8aa7810412fc0bcf4771f0d7a50ea850d2d6483830d8ff0fe60e48407b8971cc54165f04d84c3b9c7018ae06f8ad3fcba3e2b88d6d90d8e383eed63a7e0bbe2d5f63cc970891359d9885da371d7e82c9992d03d904875b106eeaae35ad9cbc3101540a5d06fb8cf455affcdb95dd72a809bd2688647d59f89a36ba3f101c5557d0d80a131fdfd2e82f75dd232622251a0f68a5aaa5fcf360e74d574940e02a5c8e64055be7965ab63f0e3b5989d25d96ef6117484f6f8214716eed1af58074885efcd6121f9e20a177cfb82977fb486bdab6e979b493e5a50e2fcf24c7ae61e52d6946c76868fc8fc2924d04e3223269b32bf8ffe30bac8129600d3e536dab66341a909d3e0c9c64a891a826b2f415f8124349fdd68a3453a6468422aeb6dea0ed54469ba8949e7dbdf7748f863dd2d604edbf6e8957d61ddf6eeeef9d27c6885131a2ca2ade09a79b7cbcf27a1ae08d33d1d15424db057bed870eae0bc39e5356135fbf6168257e000f28cfdd64151eaaa9f412d0e8a9f8e7335454e1166b3f8802f28f86220d5571000ac4e49517ae42582c69320ab9ffcfd0732bff92a67cf44a8b17ed0efbbf5fe1c8db4fda45a49506e6b9e7828ce0993f9362db6ca166a91bf6ae7266ea408ea7d25c6246725bd67407a7b9d193b74b3c1ac7fab39499b2cb3b39fe87aeb036625bb0ff19dd75eb45e780d7deec0f8d24a22679ba1dee7b6c1c7e7b10492d4e5af45644e0c884799f9c043773da69cd506950afe8b4d92cd08df82e37ab69fb6527c19f2931b73649f7cd09135b3f63b9be288b334f422edd653a9080db6e9793bfda709fade2b0fc665f1d0b53b358f7b7b180398ed2358bd4167e79b0978bcf722a78d709ff35bd56157b3f0fd582078022c0967b5d27bf3007dc39a473619185fd8ad5d07624b33030f9881acd816e8c8e12d283244031cd0c5547ffe0aa8015943fc53d026cc9b1d21937a461789c73c61d1fd2b54d0f7bb9f7ec547cd594c3b378a34a8fea3a8c14a9e4e4bc1de8b79556e495e064342bba2815c9d9ad3ea214458678966cb3381707f48c4f3ce22183bc177d87076c63123aa7185fa49c0267f27a63a5d4d31acc763480995918bffee065a64f8091035f997cffe0eb46ca4633d10eadccda813b875019cef4afb11efd8a69a571fd5d5e7a790ff584688b10caf037694f02406d045e93aefbca2beae6c13975ba4dcbf7818d4df7ebbc29cd7c122f1db611f15a91f29affac87c8318006db380dc2cb03af8698796b950a3994281463a05d881680c00b01d51e09e1857c498f87896294f7fa1168520da1b9931ee1c482c569d2c10322b83c0ffd9a5158225fe3a0a6a034608d98f127cf914e08d5dd171ba7e2d61792ca2575264eeab89bd292214ddc74ae3060b78131fb89b8a3f1616cdea4216457eb7e0ec7cf18cd5afe0feb0187ed91f539848c529787d461fe6f8f6ec7b6b6106e059a6813ad9819bc0bd8de33e8e5e31d0f3440aea27cfa2cb8163cb196e1a8d7046a3157d014650fff1b4f292394940b94f456f4d314dd05c308f650ab91750414e96a5cd02da71800f5a22a622fc5a8ce95e5bebe248402506839aca70e70a1fb8bc41587a550a18a068b5debfd64a1e5c43941efe6d748f58b2a71320161f6640a2bbefbbda115788ccda56c0956fa4d04b468ab2f4d4f6730bfe2864f940d7234674fbc5adbd1a1ec4d183f64334eeb2ea0261a5b86d38678d70476fbc928dfe2b0febc3edce12f6af32dcc30e6a35d008153d02421a0addeb8ce8b83121b8f0a3a6055c845ccbb7dde4c86a804fb40f2d9dfb4c1f4a7147519a860a7e4081851bc4706c3c980ffee39842a40051a1fc4d3f542348f300649950fc2bb092423f23e5694fa02b30e02e4aff9705ed01a886150d528c2310590189c66267071f24ed865577bfa4c50df11a69ee0abb41100f4ad15847cd75f2131c02842f34b9e7dca3a582b7ff2e5eb57db44f6919944ba1e0479a42014f8e0422eff5a75a4e0b18929d19dc47f3ed8753431429284cf056fda4c6fb8ece62e4c524e89b4a6ddcbedf38edd149f23ee411507a88ca1447c4c3d390b7ed0a423de076de64c8ba07ecd2b77228203c94813af901e1f91f7c022456d2fe48885b1d87aba7a76990560139ff2ac5e41352d5e374bef1a56ebb81d71960b204bfdb50b58d1013d6ff12238418feace41ce330cefbb8f0df645dd2a63bd6f28b7aff0cde599e75f5734d2d42611147c9b96aa0f495d988bc3fcfa74699cda70a513269605a5d28cf86e355dbb53c0c30664b23576bcf9cda5e9b80b74b43807efdb89e8b24cafb1036d1b8f10632262d4e4196bad6500d3d805aba6db42df30407b2e86f53a6c8cdc9623646361a63eced5730ab1d713aaf39672b81b490960457e51819b8c6af8bcacf9d090192748d0c66bade06bf2e08d1d03c70634291cf4f934a7a2294262a0cf064b549f4aa15177fad9ecbe352c1f3bb1d7054d0c23b76ebba75e3c216eb94fc12d7db1eb8291de090f9b4380ef22f67057d2f9ea059d55f783d9ef5ed9077b7762d96bee739df8ff03a99a8f6072ff8d84f5ebf24ea45dcc415da024d93d7f58efc73ed6e547d315984d308e79ffddfb6bb5fba57f7e2682bb3e520ae7344b3b57a26d0bc98c4f9bf374a95fe885ac962abf1f8819e45f36dbcccd63bd7a75d0c39768b7d954ac1dfb7f433909020e7c705c00271040ffc1a434ff2aa3c70884dbe4ab948b8dc39cafe9b8149928b49941a9da5a3cb7bc924566ac72b9200bbafd3e2042317d400839fca49f62f7a2fe0e04f7dd791d9562eec2e334943d4bf5a1d66fdd117b40f3a44cbe43b1ad6e6f773cded06fc6c2b8cb17fe9bd69aec2ba611c507ad3d174d65e11455041c013ba9ae22d27f693666686eb513774a84f90ae53a26069bcc3bae604107251c1523300553134633edd9be6f73321753fd3df77fc1c479d7f231a32308584b11b588947f33f98a9d1c6cce849a0a7fdeaf99fc31251d5df4ab92ce31b43236572996906a400744fdbf8ffe128e201a0c7975c8ef9f634b5f19f4b8adebe2500793a01e298223a584fb802b2359781cefee7f50554da3d1c998cf8a8a09e7eb118d7307acf36c16f823f9040bff2d74b025a08603d68ca611fe6a98293467be327382d8339ac6dd8ce7e41fb61e9e9b2712be8ccde627bebf64ecdd8bd9f4d08b0360fd3ac851f3b59e2065baba52edcb961ae9466979b34409b75d50f0ce1b30a41e68c132f8bd413da5cd99eeed70c56c25abeb8bdb6e68c65370d2f0d779e5b80c8069b71f3fc9fae0af044d14e0e672196af1e9cb9a8067568692a73773312c55f64fed808a1000ac14b1e9264083661b0d869d08839f77284d5d97a9a5299ddd3b9f54b10d9b773bff32ce67b2ff57c03db9f13015444a4214c36fb407b95ba57e196c4de4e14f563d76855ee232dc4f7170bc4865cdf9780ab025fe3a1a365a846e1e31e52953da42284e62c895155f92240db3d88f2e1f2cae363d48f3a4cf4a315c878b0ee2dcf39f611d986c1046b26343fcf661228681fcd70db965533d336bbb14654b5c0211e02c3a0188c558d15ff24cb36f600fed05dbe1ec34ececbc3b39e39f7eaee53c136a15e51e5a627df80c2b04beb77eb5e03231a4fd64305b073aee594494b5c33e6424428df62fd577182a4198670f25e58b263aa59ca05228b576c0927f8ff8c6509ffd385d97e1412c361db40a9c2bbbf92389b1e6b392a35b1bed517d980606a61998621f380bf57f90e565e22f9cbb2d840fb6ce984cdcb75a23af594e0b1f8632ee618c534ede38c7fe358cac79db21b88600eecfdd451165b39de50e2ac7920e14f586ef0f2bc5b042353bd8f5e34e5cc4f9ac79bb0cba458246ec1ad0cf7088e1c87708fa51cc50ecdcb203b0f6c4cabd1a6efdca56097cdc23e0446287d5e6dbe53c274bf251b475f4a444f3c66297af18d8f473a28951aabb5e2bb2115a8ccba58dc7c9304e4b3f31b8832e1de314ed2e2e72c6ae6da346ea8022c8c33e0250d4441c97edcd8cdcf8b9993a940716aa139f4a3d45bc3c5468baaa27d8e35f8543f3c58458698ac2da486773bd179a580df9f5e79cf2f2a985cedf0b365205fe2ab79283a0507e1972c935256f8df1be77fac95e82981c0b39cff9f1c7f3a27433e072decf43fafbd72d7917996de2a6c637adca1ef6eed15383f7279e3bed28b0bc483b3068551453b5f34e015c9732a9961fac37e259c43639fb49c24d67724d909c0207b1cba9a8a6766849924891d3d3ae57b577b5362ab6778f1aad5a4b84000000010f0e5390e83e7574397226f17225b5ca968a79755d734fd6f6a9d8ab0226bb4dd14db19b7fdd5cd9eae3cace438a567e8bb48bc8a879a4ede459442d3f2068f	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006BD287E52"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006BD287E52 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000f7c2926cd9211ef81534bf7de0c4790b0929cc6a3aa342eb913621d5ec67258f000000000e8000000002000020000000473b6ecf6db200a4ac404f1d32d9baddd0a1d303612a1a3c139b07df289cdd9980000000e0ef0acbada863b0f54c0b45b8f503177a11b2a70b0c0824f8a9d0a0517f43491ab7ded7af0510e37b5748da09f09d18ecf498818877c478332e42c7de0f1e6704d754746bdd65ba553b9bbf8cea206a1c50dc08101c10db6ce1c4b86ff8f5e572b915910638691138264f4eb793b36463ded30770663b29fe8842a4e50c487340000000761abfe3e222e9c466b8a63c30862c8068781e31e98c2cd472890882c9abb50f43d384b6a951cd2c4801bcdd857c44aa3efa1c9205d5176507380c6aebf0a8a2	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1876 wrote to memory of 4312	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 4312	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 4312	1876	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3.dll,#1
2⤵
PID:4312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4312-134-0x0000000000000000-mapping.dmp

Download
memory/4312-135-0x0000000002CC0000-0x0000000002CFD000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing