Analysis
-
max time kernel
50s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 07:30
Static task
static1
Behavioral task
behavioral1
Sample
6caba7e0bee7373c2c620f1e12b85896.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
6caba7e0bee7373c2c620f1e12b85896.dll
-
Size
236KB
-
MD5
6caba7e0bee7373c2c620f1e12b85896
-
SHA1
b6a881f9f02ed06a24fd3e32b77a9ac84d08131c
-
SHA256
c8a21f3ba32b9e1557b9146648a3ce2dc39a53e6fc07d58b736b385d9b0b777a
-
SHA512
e9463b48754c92264dc2b24c89ee63da4d853118e646883c7f9906ca2e2485654b419822bc4912becc9d60557c9cef1d79767b503aec15edc7d7f3696da865c1
Malware Config
Extracted
Family
dridex
Botnet
111
C2
52.73.70.149:443
8.4.9.152:3786
185.246.87.202:3098
50.116.111.64:5353
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1008-3-0x00000000743E0000-0x000000007441D000-memory.dmp dridex_ldr behavioral2/memory/1008-5-0x00000000743E0000-0x00000000743FF000-memory.dmp dridex_ldr -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 648 wrote to memory of 1008 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 1008 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 1008 648 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6caba7e0bee7373c2c620f1e12b85896.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6caba7e0bee7373c2c620f1e12b85896.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-2-0x0000000000000000-mapping.dmp
-
memory/1008-3-0x00000000743E0000-0x000000007441D000-memory.dmpFilesize
244KB
-
memory/1008-4-0x0000000002BF0000-0x0000000002BF6000-memory.dmpFilesize
24KB
-
memory/1008-5-0x00000000743E0000-0x00000000743FF000-memory.dmpFilesize
124KB