dridex | 165fb59360683122125271d668cfb28c3ad9502d559e491856005178fb22a254

Resubmissions

29-04-2024 17:56

240429-wjgllsgg29 10

17-04-2024 14:59

240417-sc15wsef8y 10

16-04-2024 14:20

240416-rnxq6sdg3t 10

Analysis

max time kernel
1706s
max time network
1713s
platform
windows10-1703_x64
resource
win10-20240404-de
resource tags

arch:x64arch:x86image:win10-20240404-delocale:de-deos:windows10-1703-x64systemwindows
submitted
16-04-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.exe
Size

140KB
MD5

925da3a10f7dde802c8d87047b14fda6
SHA1

1fc59fbf692f690b9fe82cfafc9dcbd5aac31a68
SHA256

c94fe7b646b681ac85756b4ce7f85f4745a7b505f1a2215ba8b58375238bad10
SHA512

82588188de13f34cd751da7409f780c4fc5814da780fe8cad1fa73370414fb24b9822fc56f1f162d0db4a5c27159c225bc4d4fb061a87cb3c0d89b067353a478
SSDEEP

3072:X9z9zjy6WEba5uuoLPhiVF3NT5nNpytoQE:X9J9gu0td5nN4

Score

10^/10

dridex botnet

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

212 svchost.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1956 net.exe

pid	process
212	svchost.exe

pid	process
1956	net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DridexDroppedVBS.exesvchost.exe

pid	process
3788	DridexDroppedVBS.exe
3788	DridexDroppedVBS.exe
3788	DridexDroppedVBS.exe
3788	DridexDroppedVBS.exe
212	svchost.exe
212	svchost.exe
212	svchost.exe
212	svchost.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

DridexDroppedVBS.exesvchost.exewhoami.exe

description	pid	process
Token: SeShutdownPrivilege	3788	DridexDroppedVBS.exe
Token: SeCreatePagefilePrivilege	3788	DridexDroppedVBS.exe
Token: SeShutdownPrivilege	212	svchost.exe
Token: SeCreatePagefilePrivilege	212	svchost.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe
Token: SeDebugPrivilege	4144	whoami.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

DridexDroppedVBS.exesvchost.exe

description	pid	process	target process
PID 3788 wrote to memory of 212	3788	DridexDroppedVBS.exe	svchost.exe
PID 3788 wrote to memory of 212	3788	DridexDroppedVBS.exe	svchost.exe
PID 3788 wrote to memory of 212	3788	DridexDroppedVBS.exe	svchost.exe
PID 3788 wrote to memory of 212	3788	DridexDroppedVBS.exe	svchost.exe
PID 212 wrote to memory of 4144	212	svchost.exe	whoami.exe
PID 212 wrote to memory of 4144	212	svchost.exe	whoami.exe
PID 212 wrote to memory of 4144	212	svchost.exe	whoami.exe
PID 212 wrote to memory of 1956	212	svchost.exe	net.exe
PID 212 wrote to memory of 1956	212	svchost.exe	net.exe
PID 212 wrote to memory of 1956	212	svchost.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\whoami.exe
    C:\Windows\system32\whoami.exe /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net.exe view
    3⤵
    - Discovers systems in the same network
    PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-2-0x0000000076410000-0x00000000764E0000-memory.dmp

Filesize
832KB

Download
memory/212-3-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/212-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-11-0x00000000028F0000-0x00000000028F6000-memory.dmp

Filesize
24KB

Download
memory/212-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-28-0x0000000076410000-0x00000000764E0000-memory.dmp

Filesize
832KB

Download
memory/3788-1-0x0000000001000000-0x0000000001006000-memory.dmp

Filesize
24KB

Download
memory/3788-5-0x0000000001090000-0x00000000010B4000-memory.dmp

Filesize
144KB

Download
memory/3788-0-0x0000000001090000-0x00000000010B4000-memory.dmp

Filesize
144KB

Download