Analysis
-
max time kernel
60s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 14:42
General
-
Target
ojdtxpy.dll
-
Size
1.2MB
-
MD5
9a821fc91c5053a2b52dbb0c16f89dc0
-
SHA1
d10adfc10ab68859e02d21a551d1f4ea6f0ff5c9
-
SHA256
d4621f06232d8942fbe8ec42a295028d89f277633354d900071f53179684f227
-
SHA512
db8ee3ac8168a7d83e93af78f81af97cdce9cfa52e6d4d1bf7027ee46ecf6e40e91982be4332167fd23d15ea937fe6b2c5c1c51e4d74c04e159c422b110219e3
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
94.126.8.2:443
37.187.161.206:33443
209.59.199.129:4443
157.245.130.146:3786
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Blocklisted process makes network request 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ojdtxpy.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ojdtxpy.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1508-2-0x000007FEF7790000-0x000007FEF7A0A000-memory.dmpFilesize
2.5MB
-
memory/1988-0-0x0000000000000000-mapping.dmp
-
memory/1988-1-0x0000000074B30000-0x0000000074B6D000-memory.dmpFilesize
244KB