Analysis
-
max time kernel
71s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-11-2020 16:45
General
-
Target
yyvwjrxk.dll
-
Size
551KB
-
MD5
30a9282bf77aca1fcad347596364f456
-
SHA1
79a4c1db15260ab9912c59eef7c595ee5e5abf86
-
SHA256
75c73ab948e50702363e0eccbe49051b38807f3e78790a95bcae1cea4ae3bcbc
-
SHA512
254aa6bb60244ba5bb6210f8a1a84a52200c70cf91644c7db829ce206623d6b838e846efa95b57c2b41b7ce4ab630d4a8bbb2d6f2e46616d59e393b36e0a27b9
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
195.154.237.245:443
46.105.131.73:8172
91.238.160.158:18443
213.183.128.99:3786
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Blocklisted process makes network request 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\yyvwjrxk.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\yyvwjrxk.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1632-2-0x000007FEF7080000-0x000007FEF72FA000-memory.dmpFilesize
2.5MB
-
memory/2036-0-0x0000000000000000-mapping.dmp
-
memory/2036-1-0x0000000000750000-0x000000000078D000-memory.dmpFilesize
244KB