Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:21
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Dridex.704.28108.28988.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.Dridex.704.28108.28988.dll
-
Size
647KB
-
MD5
979310d723bfe499e26f9d1c773eb567
-
SHA1
4bbac2dc71b965de292f96cb1b711d7ae979f534
-
SHA256
1b4e008beb2b395e53648c9a246ecafcb3df0543c5236a40cdb976a2007bbf97
-
SHA512
864484d606a1332606ba33130099f5eaa26dc03979fe6857b588094295bbce3bf83905e6cc57221155d8fecafa63600ec4dd633af956e83272dc873ca55e02db
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1664 set thread context of 1304 1664 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1304 msiexec.exe Token: SeSecurityPrivilege 1304 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1764 wrote to memory of 1664 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1664 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1664 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1664 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1664 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1664 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1664 1764 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe PID 1664 wrote to memory of 1304 1664 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Dridex.704.28108.28988.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Dridex.704.28108.28988.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-2-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1304-1-0x00000000000D0000-0x0000000000107000-memory.dmpFilesize
220KB
-
memory/1304-3-0x00000000000D0000-0x0000000000107000-memory.dmpFilesize
220KB
-
memory/1304-4-0x0000000000000000-mapping.dmp
-
memory/1348-5-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmpFilesize
2.5MB
-
memory/1664-0-0x0000000000000000-mapping.dmp