dridex | 9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064

Analysis

max time kernel
143s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-05-2022 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064.exe
Size

747KB
MD5

e3f384c593482912298b6d63db17ae52
SHA1

85baae83db7f4ae7ef36abed2da0959bb14049a2
SHA256

9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064
SHA512

9192d3651bb51ef7e397dea5193dbe317825f2d6e0f57c0d0a224a2139d54d5c2856311e978d97ac4f8a12f909d798f5d220c25876ffa96ef75d38e3d04e99f3

Score

10^/10

dridex 10111 botnet discovery evasion trojan

Malware Config

Extracted

Family

dridex

Botnet

10111

51.254.163.104:1688

142.4.6.57:14043

195.159.28.230:4443

64.225.35.35:3098

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064.exe

pid process

4892 9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064.exe

pid	process
4892	9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064.exe

C:\Users\Admin\AppData\Local\Temp\9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064.exe
"C:\Users\Admin\AppData\Local\Temp\9ca141ae51959b85bb47633c2660ee587745ab720f74cba8973ce06f14963064.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4892-130-0x0000000000530000-0x000000000056C000-memory.dmp

Filesize
240KB

Download
memory/4892-131-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download