dridex | 4b4d0e3e435b94705cc1d5fc24166adf2c51d5a181a0d68d4ce63ac517f2037c

General

Target

4b4d0e3e435b94705cc1d5fc24166adf2c51d5a181a0d68d4ce63ac517f2037c.vbs
Size

3.0MB
MD5

abf6e9892c2de2d0df9dc8a80f7dd4ca
SHA1

026493fb163831a7b0678bc51d851dc722d61888
SHA256

4b4d0e3e435b94705cc1d5fc24166adf2c51d5a181a0d68d4ce63ac517f2037c
SHA512

237df4beefc43d8f2c38c492f2e5223ef3782e42ee47099afeee0fa9a157649899f4533a9dc697a694a6726b55982f934a33cb1167b5255e336c89859b5f366f

Score

10^/10

dridex botnet

Malware Config

Extracted

Family

dridex

C2

23.226.225.152:443

178.128.20.11:3389

198.23.146.216:8443

206.189.112.148:691

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 4576 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4896 rundll32.exe
4896 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

5048 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4576	rundll32.exe

pid	process
4896	rundll32.exe
4896	rundll32.exe

pid	process
5048	WScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4364 wrote to memory of 4896	4364	rundll32.exe	rundll32.exe
PID 4364 wrote to memory of 4896	4364	rundll32.exe	rundll32.exe
PID 4364 wrote to memory of 4896	4364	rundll32.exe	rundll32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b4d0e3e435b94705cc1d5fc24166adf2c51d5a181a0d68d4ce63ac517f2037c.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5048

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt, AppInfor
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt, AppInfor
2⤵
- Loads dropped DLL
PID:4896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt

Filesize
480KB

MD5
4a1009b9775d256729a097c324a0cb41

SHA1
1a9f83666b6f08028d08df7dd44b78afbaf712f6

SHA256
9476498ec1794a14150880e7da3265f5e21df788617bdf34e99f025c5fae1594

SHA512
7869cc93886876638de3d32e560d2c9c4b4ec094f0f3f6a026bb233d167eb0fb6bb3f4cce9b24fbbaf6c0c933eb63a493d9effd94e201815423f915e8f7395fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt

Filesize
480KB

MD5
4a1009b9775d256729a097c324a0cb41

SHA1
1a9f83666b6f08028d08df7dd44b78afbaf712f6

SHA256
9476498ec1794a14150880e7da3265f5e21df788617bdf34e99f025c5fae1594

SHA512
7869cc93886876638de3d32e560d2c9c4b4ec094f0f3f6a026bb233d167eb0fb6bb3f4cce9b24fbbaf6c0c933eb63a493d9effd94e201815423f915e8f7395fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUsDQCkXGAzRw.txt

Filesize
480KB

MD5
4a1009b9775d256729a097c324a0cb41

SHA1
1a9f83666b6f08028d08df7dd44b78afbaf712f6

SHA256
9476498ec1794a14150880e7da3265f5e21df788617bdf34e99f025c5fae1594

SHA512
7869cc93886876638de3d32e560d2c9c4b4ec094f0f3f6a026bb233d167eb0fb6bb3f4cce9b24fbbaf6c0c933eb63a493d9effd94e201815423f915e8f7395fa

Download Submit
memory/4896-131-0x0000000000000000-mapping.dmp

Download
memory/4896-134-0x0000000002380000-0x0000000002D03000-memory.dmp

Filesize
9.5MB

Download
memory/4896-136-0x0000000002380000-0x0000000002D03000-memory.dmp

Filesize
9.5MB

Download
memory/4896-137-0x0000000002380000-0x000000000239D000-memory.dmp

Filesize
116KB

Download
memory/4896-138-0x0000000002380000-0x0000000002D03000-memory.dmp

Filesize
9.5MB

Download
memory/4896-140-0x0000000002381000-0x00000000023C9000-memory.dmp

Filesize
288KB

Download
memory/4896-142-0x0000000002380000-0x0000000002D03000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing