dridex | 618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414

Analysis

max time kernel
171s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2022 20:48

Target

618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe
Size

204KB
MD5

079514b75ca3452ffca121498243c924
SHA1

a2ad558e5c68e6d9a4821c7ceeb38c399fe11365
SHA256

618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414
SHA512

5a4b01fb09145087fba5e0f06457d7fd5f51caaac4c701a2f9166f0a98c4bd658d90813bcf07502bea1b15f2114b114e84fe8fe1563114c85a12243743ca32e7

Score

10^/10

dridex botnet

Family

dridex

5.196.15.119:443

46.105.131.72:443

157.7.163.144:3389

199.119.78.9:4143

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe

pid	process
5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe
5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe
5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe
5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe

description pid process

Token: SeRestorePrivilege 5000 618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe

description	pid	process
Token: SeRestorePrivilege	5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe

description	pid	process	target process
PID 5000 wrote to memory of 1764	5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe	raserver.exe
PID 5000 wrote to memory of 1764	5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe	raserver.exe
PID 5000 wrote to memory of 1764	5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe	raserver.exe
PID 5000 wrote to memory of 1764	5000	618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe	raserver.exe

C:\Windows\SysWOW64\raserver.exe
C:\Windows\SysWOW64\raserver.exe "C:\Users\Admin\AppData\Local\Temp\618e4394692284350e643d25a71de1a83cc15edfb1d7f15bde95a7e876be0414.exe"
2⤵
PID:1764

memory/1764-133-0x0000000000000000-mapping.dmp

Download
memory/1764-135-0x0000000003000000-0x0000000003033000-memory.dmp

Filesize
204KB

Download
memory/1764-134-0x0000000003000000-0x0000000003033000-memory.dmp

Filesize
204KB

Download
memory/1764-137-0x0000000003000000-0x0000000003033000-memory.dmp

Filesize
204KB

Download
memory/1764-138-0x0000000003000000-0x0000000003033000-memory.dmp

Filesize
204KB

Download
memory/1764-136-0x0000000003000000-0x0000000003033000-memory.dmp

Filesize
204KB

Download
memory/1764-139-0x0000000003000000-0x0000000003033000-memory.dmp

Filesize
204KB

Download
memory/1764-145-0x00000000014B0000-0x00000000014B6000-memory.dmp

Filesize
24KB

Download
memory/5000-130-0x0000000003000000-0x0000000003033000-memory.dmp

Filesize
204KB

Download
memory/5000-132-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download