Analysis
-
max time kernel
7s -
max time network
64s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 05:19
General
-
Target
pzxrk4325.dll
-
Size
355KB
-
MD5
457a2d0c13db31222c66c3e623d88063
-
SHA1
15bd1122fe1a910c3b8f255bbe74de5ffed57fd2
-
SHA256
a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba
-
SHA512
5eeb2bfcfedd0703134196a3135bba5bbc59d67ab51bc847c837e4243c1c1a7fa1971a5602af5f6d946ef1a0f5c5f5f1f1807fa5e5d6dc723b6d5888336875c3
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
194.225.58.216:443
178.254.40.132:691
216.172.165.70:3889
198.57.200.100:3786
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Blocklisted process makes network request 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\pzxrk4325.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\pzxrk4325.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1168-2-0x000007FEF74B0000-0x000007FEF772A000-memory.dmpFilesize
2.5MB
-
memory/1912-0-0x0000000000000000-mapping.dmp
-
memory/1912-1-0x00000000002F0000-0x000000000032D000-memory.dmpFilesize
244KB