dridex | beda27db5bf346e15cfe39591090d852a539760c824cb28afb322098a4027961

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OSCE-CUR1202069986.vbs
Size

2.2MB
MD5

bafce37d28a61cc064beeb186de90d78
SHA1

0d2bc349c0da8f5a92df71e9cb34d92b4bb6e70c
SHA256

4a2e30d454a2c64df5eeea0a038d86dc0d230faf595efc7c9fc4773d083348a9
SHA512

9044e58359b2e1c9ecaa04807b3332bd654a34426047f71494ac74ecec56915a1278ec8a5c7648aa873985af919012ada47943c0b3eed030b5adf06e02cad040
SSDEEP

3072:opDhIAeifbWm7bDBuaQc1DAjTMTNoA5mky0S+/8Zi5XY+2h+/GOwmNLgR5btVVW7:oX8sBP0tmjoPJwbxYNWQcVZA2+vZ4qC

Score

10^/10

dridex botnet

Malware Config

Extracted

Family

dridex

104.131.41.185:443

178.62.75.204:1443

138.201.138.91:3389

62.75.191.14:3389

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2288 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2544 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

3016 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2288	regsvr32.exe

pid	process
2544	regsvr32.exe

pid	process
3016	WScript.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2824 wrote to memory of 2544	2824	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 2544	2824	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 2544	2824	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 2544	2824	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 2544	2824	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 2544	2824	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 2544	2824	regsvr32.exe	regsvr32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OSCE-CUR1202069986.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3016

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txt
2⤵
- Loads dropped DLL
PID:2544

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RDGFSF~1.ZIP
Filesize
173KB

MD5
1a06a9ee708aedc9262e0deb92a6d96c

SHA1
9b19d73ae13951b7841f3d0df907c078a037e57b

SHA256
52707f6fa67030ab19ff2c3ccac34fcb0ebdc82ef38a462980d28ffe785abe4f

SHA512
869c5adc3e55aef45438113492343c5268c350c7bf32a1870d2b4db3d35ae500f69f916597a35888b17b0f3760c613b10a946a92f6527626181be3893a16721a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txt
Filesize
234KB

MD5
dcc0d174cb7fec609f31c0f95347f913

SHA1
d77a6c10f9538ccd630d437390e69471cbc3cebb

SHA256
56b8f57264cd5747a3282754601387cf860eab9c18d1c14bcdd6074c88c5a0e0

SHA512
d626c4a4b42d7ffd68fb2433943e3657add9ac69f13ec2dd6233ee58ea041179c8a2795212baeb895f56f9c04a2a66035652ca24f0d0eff127ee2d06187924e0

Download Submit
memory/2544-25-0x0000000074810000-0x0000000074862000-memory.dmp

Filesize
328KB

Download
memory/2544-27-0x000000007484B000-0x000000007484E000-memory.dmp

Filesize
12KB

Download
memory/2544-28-0x0000000074810000-0x0000000074862000-memory.dmp

Filesize
328KB

Download
memory/3016-9-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download