dridex | 3c08465a1453b7ae0a91858ca433f0670e11e769daaff2dd43cac6edc3fc0479

Analysis

max time kernel
68s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Report-24Sept.2020.scr
Size

734KB
MD5

d594e8a2098a81c9bfa24f3c17c992e6
SHA1

b9c820973407c7b4bef5b9ce98b7af62cafa397d
SHA256

fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
SHA512

50049d1ded3f8cfcb6aa839c0341e91bb39b46dbd5376533f2725ce27e6ae5059d3f5af71100dd025b03b7a3cf90bfa920a93818ac1bafb30c65460514c4fd47
SSDEEP

12288:EY20AljdZgBPfKfi1leppjfQxAogJfqsUsz0cX0rLfGLEXTMd8MQ5B5rxVCz:Z20gPgFKLfQxAVBbIcXQGL+MWMwTrxMz

Score

10^/10

dridex 10555 botnet discovery evasion

Malware Config

Extracted

Family

dridex

Botnet

10555

151.236.219.181:443

142.4.6.57:14043

162.144.127.197:3786

103.40.116.68:5443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2776	attrib.exe

Executes dropped EXE 1 IoCs

Processes:

PLS.exe

pid	Process
2124	PLS.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exeregsvr32.exe

pid	Process
2332	cmd.exe
2664	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeregsvr32.exeReport-24Sept.2020.scrWScript.exetimeout.exePLS.exeWScript.exetimeout.execmd.exetimeout.exeattrib.exetimeout.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Report-24Sept.2020.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PLS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 4 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
2856	timeout.exe
1708	timeout.exe
2248	timeout.exe
2804	timeout.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Report-24Sept.2020.scrWScript.execmd.exeWScript.execmd.exe

description	pid	Process	procid_target
PID 2056 wrote to memory of 2280	2056	Report-24Sept.2020.scr	30
PID 2056 wrote to memory of 2280	2056	Report-24Sept.2020.scr	30
PID 2056 wrote to memory of 2280	2056	Report-24Sept.2020.scr	30
PID 2056 wrote to memory of 2280	2056	Report-24Sept.2020.scr	30
PID 2056 wrote to memory of 2280	2056	Report-24Sept.2020.scr	30
PID 2056 wrote to memory of 2280	2056	Report-24Sept.2020.scr	30
PID 2056 wrote to memory of 2280	2056	Report-24Sept.2020.scr	30
PID 2280 wrote to memory of 2332	2280	WScript.exe	31
PID 2280 wrote to memory of 2332	2280	WScript.exe	31
PID 2280 wrote to memory of 2332	2280	WScript.exe	31
PID 2280 wrote to memory of 2332	2280	WScript.exe	31
PID 2280 wrote to memory of 2332	2280	WScript.exe	31
PID 2280 wrote to memory of 2332	2280	WScript.exe	31
PID 2280 wrote to memory of 2332	2280	WScript.exe	31
PID 2332 wrote to memory of 2248	2332	cmd.exe	33
PID 2332 wrote to memory of 2248	2332	cmd.exe	33
PID 2332 wrote to memory of 2248	2332	cmd.exe	33
PID 2332 wrote to memory of 2248	2332	cmd.exe	33
PID 2332 wrote to memory of 2248	2332	cmd.exe	33
PID 2332 wrote to memory of 2248	2332	cmd.exe	33
PID 2332 wrote to memory of 2248	2332	cmd.exe	33
PID 2332 wrote to memory of 2124	2332	cmd.exe	34
PID 2332 wrote to memory of 2124	2332	cmd.exe	34
PID 2332 wrote to memory of 2124	2332	cmd.exe	34
PID 2332 wrote to memory of 2124	2332	cmd.exe	34
PID 2332 wrote to memory of 2124	2332	cmd.exe	34
PID 2332 wrote to memory of 2124	2332	cmd.exe	34
PID 2332 wrote to memory of 2124	2332	cmd.exe	34
PID 2332 wrote to memory of 2804	2332	cmd.exe	35
PID 2332 wrote to memory of 2804	2332	cmd.exe	35
PID 2332 wrote to memory of 2804	2332	cmd.exe	35
PID 2332 wrote to memory of 2804	2332	cmd.exe	35
PID 2332 wrote to memory of 2804	2332	cmd.exe	35
PID 2332 wrote to memory of 2804	2332	cmd.exe	35
PID 2332 wrote to memory of 2804	2332	cmd.exe	35
PID 2332 wrote to memory of 2744	2332	cmd.exe	37
PID 2332 wrote to memory of 2744	2332	cmd.exe	37
PID 2332 wrote to memory of 2744	2332	cmd.exe	37
PID 2332 wrote to memory of 2744	2332	cmd.exe	37
PID 2332 wrote to memory of 2744	2332	cmd.exe	37
PID 2332 wrote to memory of 2744	2332	cmd.exe	37
PID 2332 wrote to memory of 2744	2332	cmd.exe	37
PID 2332 wrote to memory of 2856	2332	cmd.exe	38
PID 2332 wrote to memory of 2856	2332	cmd.exe	38
PID 2332 wrote to memory of 2856	2332	cmd.exe	38
PID 2332 wrote to memory of 2856	2332	cmd.exe	38
PID 2332 wrote to memory of 2856	2332	cmd.exe	38
PID 2332 wrote to memory of 2856	2332	cmd.exe	38
PID 2332 wrote to memory of 2856	2332	cmd.exe	38
PID 2744 wrote to memory of 2624	2744	WScript.exe	39
PID 2744 wrote to memory of 2624	2744	WScript.exe	39
PID 2744 wrote to memory of 2624	2744	WScript.exe	39
PID 2744 wrote to memory of 2624	2744	WScript.exe	39
PID 2744 wrote to memory of 2624	2744	WScript.exe	39
PID 2744 wrote to memory of 2624	2744	WScript.exe	39
PID 2744 wrote to memory of 2624	2744	WScript.exe	39
PID 2624 wrote to memory of 2776	2624	cmd.exe	41
PID 2624 wrote to memory of 2776	2624	cmd.exe	41
PID 2624 wrote to memory of 2776	2624	cmd.exe	41
PID 2624 wrote to memory of 2776	2624	cmd.exe	41
PID 2624 wrote to memory of 2776	2624	cmd.exe	41
PID 2624 wrote to memory of 2776	2624	cmd.exe	41
PID 2624 wrote to memory of 2776	2624	cmd.exe	41
PID 2624 wrote to memory of 1708	2624	cmd.exe	42

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2776	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr
"C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr" /S
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\XIU\configurate\selector.vbs" /f=CREATE_NO_WINDOW install.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\XIU\configurate\dsep.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2248
  - - C:\XIU\configurate\PLS.exe
      "PLS.exe" e -pVersion hl.rar
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2124
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2804
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\XIU\configurate\fatless.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\XIU\configurate\lll.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\XIU"
        6⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2776
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1708
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 -s CONFIG.dll
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2664
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\XIU\configurate\CONFIG.dll

Filesize
324KB

MD5
031f318c8ab815cda0d447904a925cf7

SHA1
2bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e

SHA256
9492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd

SHA512
519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d

Download Submit
C:\XIU\configurate\PLS.exe

Filesize
551KB

MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\XIU\configurate\SLP.txt

Filesize
212KB

MD5
24fdf4791a3efa0178e677b0e03c12b1

SHA1
f5f45b8c35cf303eff77aa1fbe02e9bd4318c7d7

SHA256
6740389c8266848199851648c4228df7401dd30c8dec89ab7827f1bec7ab522b

SHA512
f9b71717cdd61a9539dd93267f4d039e0de7dd8933b9f63679466a881884b06ccdc666d27bb6b9909127101a63879b33a1165a83fff9d6ce3009ed5e7b97b6da

Download Submit
C:\XIU\configurate\dsep.bat

Filesize
569B

MD5
9318a04c2d4d80719382a7e73c28736b

SHA1
ddb5096d2841b575a941ecaf79fee8e2365563ae

SHA256
db74d354ad34fa9a0dafd9b846574855b480590ebf06879d87844060cf50ff4b

SHA512
0dd33ebf730e77a1d55996b14a560f1584e17e55e5a6efdedd3bce2ecdd0e7f892c9ae2b4bef8ee68a723ef9d02717e9f9fb3939f1b95cacaeacd29b28e70717

Download Submit
C:\XIU\configurate\fatless.vbs

Filesize
99B

MD5
75214af723ca4720e0aa365eb3ef6f5b

SHA1
a6b73a92246cd3b857e32e2a8a26ee8fc52fdcb4

SHA256
06d4a788d4c91c141b933199826ac3b4df8d6027f818fc2b198043773ea132e4

SHA512
91b7752a63e694641f17187cdb8e1a7876eda195f3070d6fee210b6210e2897833bc08b770db6e82cfec7a99e3fae5c01588872eb2aa60dccdc4064363f54c58

Download Submit
C:\XIU\configurate\lll.bat

Filesize
692B

MD5
70c1b14895a29502d3e94e395606f82d

SHA1
a02fff1f3a0c1c8ff5453a5de715cbe5ba227185

SHA256
b449d3d5b476b1a53bbe6b5d6fef93e89d8456450e84b1c349237c6a8df3b65d

SHA512
8f9a8975124738b7a5ad1e0d92549f45a06c6efa8fac7d3c07ce16399a6aeed5644c14bf56cec56c83a293835cfb994a99d3e75dc5e9ea7f41e9e354760f742c

Download Submit
C:\XIU\configurate\selector.vbs

Filesize
82B

MD5
9cce3084f1850c3be989cc47fab4ee71

SHA1
e490f01a46f85c155c2848affda6d2c7b0791c8b

SHA256
332462b21eed1bcbd9c198851e28b789893628410e7268ddc022a40e2f7f94c1

SHA512
30cc59e8e1a5b20a1c59bb437dc96cf65f7bbfa798617a77a613ae89012be78bda38c51278411ba511a7058eaca728e160a0d6d29f5defaeafa4dc7f64458f88

Download Submit
memory/2664-41-0x0000000074680000-0x00000000746D1000-memory.dmp

Filesize
324KB

Download
memory/2664-43-0x0000000074680000-0x00000000746D1000-memory.dmp

Filesize
324KB

Download