dridex | a6ea57cdb7ea0f0d7d073f2fe4ef53456734b97eaa0e35b8c5a0225e0aa582d0

Analysis

max time kernel
63s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22b6aa8c118f850e14eb78efadd00ee0N.dll
Size

236KB
MD5

22b6aa8c118f850e14eb78efadd00ee0
SHA1

04ce345c2c15f458f5e9c0a86f72e5639c40e5ac
SHA256

a6ea57cdb7ea0f0d7d073f2fe4ef53456734b97eaa0e35b8c5a0225e0aa582d0
SHA512

e84d891b4e7c5bfc0edf9a774c1e035816e8649a18bf90c33fc7676d557ec49b622a2ffcc82b4f6b388ea91f2d61af168781f097fcc826296db38fa6b58acf49
SSDEEP

6144:51G3WVIOY6Bdjehj+qudd96oud6mv5wdC:51GmSafShjYdd96zd6cwdC

Score

10^/10

dridex 111 botnet discovery loader

Malware Config

Extracted

Family

dridex

Botnet

111

52.73.70.149:443

8.4.9.152:3786

185.246.87.202:3098

50.116.111.64:5353

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1908-1-0x0000000074CF0000-0x0000000074D2D000-memory.dmp	dridex_ldr
behavioral1/memory/1908-2-0x0000000074CF0000-0x0000000074D2D000-memory.dmp	dridex_ldr

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2360 wrote to memory of 1908	2360	rundll32.exe	rundll32.exe
PID 2360 wrote to memory of 1908	2360	rundll32.exe	rundll32.exe
PID 2360 wrote to memory of 1908	2360	rundll32.exe	rundll32.exe
PID 2360 wrote to memory of 1908	2360	rundll32.exe	rundll32.exe
PID 2360 wrote to memory of 1908	2360	rundll32.exe	rundll32.exe
PID 2360 wrote to memory of 1908	2360	rundll32.exe	rundll32.exe
PID 2360 wrote to memory of 1908	2360	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22b6aa8c118f850e14eb78efadd00ee0N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\22b6aa8c118f850e14eb78efadd00ee0N.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-0-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/1908-1-0x0000000074CF0000-0x0000000074D2D000-memory.dmp

Filesize
244KB

Download
memory/1908-3-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/1908-2-0x0000000074CF0000-0x0000000074D2D000-memory.dmp

Filesize
244KB

Download