dridex | 37ebc1f52a70cf7877b89fdf4c06f51192868143b84e51fbb4c654ef331b4125

General

Target

STI_389497438854689.vbs
Size

3.0MB
MD5

abf6e9892c2de2d0df9dc8a80f7dd4ca
SHA1

026493fb163831a7b0678bc51d851dc722d61888
SHA256

4b4d0e3e435b94705cc1d5fc24166adf2c51d5a181a0d68d4ce63ac517f2037c
SHA512

237df4beefc43d8f2c38c492f2e5223ef3782e42ee47099afeee0fa9a157649899f4533a9dc697a694a6726b55982f934a33cb1167b5255e336c89859b5f366f

Score

10^/10

dridex botnet

Malware Config

Extracted

Family

dridex

C2

23.226.225.152:443

178.128.20.11:3389

198.23.146.216:8443

206.189.112.148:691

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 1884 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2536 rundll32.exe
2536 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

1260 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1884	rundll32.exe

pid	process
2536	rundll32.exe
2536	rundll32.exe

pid	process
1260	WScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3032 wrote to memory of 2536	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2536	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2536	3032	rundll32.exe	rundll32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STI_389497438854689.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1260

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt, AppInfor
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt, AppInfor
2⤵
- Loads dropped DLL
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt
Filesize
480KB

MD5
4a1009b9775d256729a097c324a0cb41

SHA1
1a9f83666b6f08028d08df7dd44b78afbaf712f6

SHA256
9476498ec1794a14150880e7da3265f5e21df788617bdf34e99f025c5fae1594

SHA512
7869cc93886876638de3d32e560d2c9c4b4ec094f0f3f6a026bb233d167eb0fb6bb3f4cce9b24fbbaf6c0c933eb63a493d9effd94e201815423f915e8f7395fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt
Filesize
480KB

MD5
4a1009b9775d256729a097c324a0cb41

SHA1
1a9f83666b6f08028d08df7dd44b78afbaf712f6

SHA256
9476498ec1794a14150880e7da3265f5e21df788617bdf34e99f025c5fae1594

SHA512
7869cc93886876638de3d32e560d2c9c4b4ec094f0f3f6a026bb233d167eb0fb6bb3f4cce9b24fbbaf6c0c933eb63a493d9effd94e201815423f915e8f7395fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt
Filesize
480KB

MD5
4a1009b9775d256729a097c324a0cb41

SHA1
1a9f83666b6f08028d08df7dd44b78afbaf712f6

SHA256
9476498ec1794a14150880e7da3265f5e21df788617bdf34e99f025c5fae1594

SHA512
7869cc93886876638de3d32e560d2c9c4b4ec094f0f3f6a026bb233d167eb0fb6bb3f4cce9b24fbbaf6c0c933eb63a493d9effd94e201815423f915e8f7395fa

Download Submit
memory/2536-131-0x0000000000000000-mapping.dmp

Download
memory/2536-134-0x0000000002D10000-0x0000000003693000-memory.dmp

Filesize
9.5MB

Download
memory/2536-136-0x0000000002D10000-0x0000000003693000-memory.dmp

Filesize
9.5MB

Download
memory/2536-137-0x0000000002D10000-0x0000000002D2D000-memory.dmp

Filesize
116KB

Download
memory/2536-138-0x0000000002D10000-0x0000000003693000-memory.dmp

Filesize
9.5MB

Download
memory/2536-140-0x0000000002D11000-0x0000000002D59000-memory.dmp

Filesize
288KB

Download
memory/2536-142-0x0000000002D10000-0x0000000003693000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing