dridex | 2d9bb4e3fddfe5dc51c54cba74a1eb594c7be9d34774524d972350edd85e6499

Resubmissions

08-02-2024 01:32

240208-bx7pqsbg96 10

27-01-2024 14:19

240127-rmwgqadhc4 10

Analysis

max time kernel
138s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Size

152KB
MD5

6164228ed2cc0eceba9ce1828d87d827
SHA1

cea5bc473c948a78ce565b6e195e6e25f029c0c6
SHA256

7fa83f0588f0f50d0635313918137c05cb59aa672d842f864073aebb72c66195
SHA512

b53ac27397ce5453fa008d1a2e98f9f66be7d7f08375b92c88007544c09ab844d6c8eeceb2221c988e0a0d6ffc2a8a290e49715e3062a74bcd2310d41bffcc37
SSDEEP

3072:VqD/ri6AM4odK4J663POAQgG8rYKvh+5Nl:V0xlIBwPOA+8Zhu

Score

10^/10

dridex botnet

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1248 svchost.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2360 net.exe

pid	process
1248	svchost.exe

pid	process
2360	net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Trojan.Dridex.A.exesvchost.exe

pid	process
2616	Trojan.Dridex.A.exe
2616	Trojan.Dridex.A.exe
2616	Trojan.Dridex.A.exe
2616	Trojan.Dridex.A.exe
1248	svchost.exe
1248	svchost.exe
1248	svchost.exe
1248	svchost.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Trojan.Dridex.A.exewhoami.exe

description	pid	process
Token: SeRestorePrivilege	2616	Trojan.Dridex.A.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe
Token: SeDebugPrivilege	2036	whoami.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Trojan.Dridex.A.exesvchost.exe

description	pid	process	target process
PID 2616 wrote to memory of 1248	2616	Trojan.Dridex.A.exe	svchost.exe
PID 2616 wrote to memory of 1248	2616	Trojan.Dridex.A.exe	svchost.exe
PID 2616 wrote to memory of 1248	2616	Trojan.Dridex.A.exe	svchost.exe
PID 2616 wrote to memory of 1248	2616	Trojan.Dridex.A.exe	svchost.exe
PID 1248 wrote to memory of 2036	1248	svchost.exe	whoami.exe
PID 1248 wrote to memory of 2036	1248	svchost.exe	whoami.exe
PID 1248 wrote to memory of 2036	1248	svchost.exe	whoami.exe
PID 1248 wrote to memory of 2360	1248	svchost.exe	net.exe
PID 1248 wrote to memory of 2360	1248	svchost.exe	net.exe
PID 1248 wrote to memory of 2360	1248	svchost.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
3⤵
- Discovers systems in the same network
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-10-0x0000000003000000-0x000000000302F000-memory.dmp

Filesize
188KB

Download
memory/1248-8-0x0000000003000000-0x000000000302F000-memory.dmp

Filesize
188KB

Download
memory/1248-2-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1248-29-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/1248-5-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/1248-7-0x0000000003000000-0x000000000302F000-memory.dmp

Filesize
188KB

Download
memory/1248-14-0x0000000000E40000-0x0000000000E46000-memory.dmp

Filesize
24KB

Download
memory/1248-9-0x0000000003000000-0x000000000302F000-memory.dmp

Filesize
188KB

Download
memory/1248-11-0x0000000003000000-0x000000000302F000-memory.dmp

Filesize
188KB

Download
memory/1248-12-0x0000000003000000-0x000000000302F000-memory.dmp

Filesize
188KB

Download
memory/1248-6-0x0000000003000000-0x000000000302F000-memory.dmp

Filesize
188KB

Download
memory/2616-1-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/2616-0-0x0000000002730000-0x000000000275F000-memory.dmp

Filesize
188KB

Download
memory/2616-4-0x0000000002730000-0x000000000275F000-memory.dmp

Filesize
188KB

Download