dridex | e63419700590e021c61e68cfaccfbe5be4f31aba7fdf703d323c8b14365658e5 | Triage

Analysis

max time kernel
92s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-06-2022 05:26

Sharing

Report Analysis Logs

General

Target

cspwge.dll
Size

425KB
MD5

7d99e955a5f92c1f7809bb6a6609af70
SHA1

a9eae703e5b501bd0ab767782ee4cfad467b736e
SHA256

e63419700590e021c61e68cfaccfbe5be4f31aba7fdf703d323c8b14365658e5
SHA512

e935fad23dc862daf1c55677d255b142f112ac1a6102614c672dd1e75f9c64a54e7266a8a1d45cc5de9b31e85db2281200d5cdb551d0dd544e8d08dddf2641b6

Score

10^/10

dridex 10555 botnet

Malware Config

Extracted

Family

dridex

Botnet

10555

C2

77.220.64.132:443

212.227.53.240:5037

192.241.174.45:8172

rc4.plain

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4908 wrote to memory of 1708	4908	regsvr32.exe	regsvr32.exe
PID 4908 wrote to memory of 1708	4908	regsvr32.exe	regsvr32.exe
PID 4908 wrote to memory of 1708	4908	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\cspwge.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\cspwge.dll
2⤵
PID:1708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-130-0x0000000000000000-mapping.dmp

Download
memory/1708-131-0x0000000000970000-0x0000000000A5E000-memory.dmp

Filesize
952KB

Download
memory/1708-132-0x0000000000970000-0x0000000000A5E000-memory.dmp

Filesize
952KB

Download
memory/1708-133-0x0000000000970000-0x0000000000A5E000-memory.dmp

Filesize
952KB

Download