Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:21
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Dridex.704.22500.31078.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.Dridex.704.22500.31078.dll
-
Size
647KB
-
MD5
cd63f0981882dc0eae43d92879b23b90
-
SHA1
71eb9e3940d1353930f9c006c5757f588a6d0d28
-
SHA256
bb0063629c3a51ea01a188e9f89e0a8b2ca68030d0cdaac6bd84cd100007cfc3
-
SHA512
a3c14d37081861be863f99d044c18bf3aede33c9265e845b55eb5c870d8b368f7eb39a499e699165c3e57661475430d9a38b299b8a063f79314b85038a260748
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1820 set thread context of 1720 1820 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1720 msiexec.exe Token: SeSecurityPrivilege 1720 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1320 wrote to memory of 1820 1320 rundll32.exe rundll32.exe PID 1320 wrote to memory of 1820 1320 rundll32.exe rundll32.exe PID 1320 wrote to memory of 1820 1320 rundll32.exe rundll32.exe PID 1320 wrote to memory of 1820 1320 rundll32.exe rundll32.exe PID 1320 wrote to memory of 1820 1320 rundll32.exe rundll32.exe PID 1320 wrote to memory of 1820 1320 rundll32.exe rundll32.exe PID 1320 wrote to memory of 1820 1320 rundll32.exe rundll32.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe PID 1820 wrote to memory of 1720 1820 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Dridex.704.22500.31078.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Dridex.704.22500.31078.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1324-5-0x000007FEF7FE0000-0x000007FEF825A000-memory.dmpFilesize
2.5MB
-
memory/1720-1-0x00000000000D0000-0x0000000000107000-memory.dmpFilesize
220KB
-
memory/1720-2-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1720-3-0x00000000000D0000-0x0000000000107000-memory.dmpFilesize
220KB
-
memory/1720-4-0x0000000000000000-mapping.dmp
-
memory/1820-0-0x0000000000000000-mapping.dmp