Analysis
-
max time kernel
132s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-01-2021 21:53
Static task
static1
Behavioral task
behavioral1
Sample
1b870dab19a3650ab790037ae327b7cb.bin.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
1b870dab19a3650ab790037ae327b7cb.bin.dll
-
Size
371KB
-
MD5
1b870dab19a3650ab790037ae327b7cb
-
SHA1
3fd3d813417c0872d1a1374439351dd53500a024
-
SHA256
642ab82c74a436b00f64a17174e23f40a64b721b6128e80a70e3cbffc7d3424a
-
SHA512
707779597690d2178622be05956a2bf49456dd63f70cfba6e03971fdcb4179e754d3a1a725dd08768c8bd91333e1e3d113e791b726ed198b2c7b6175bd4f5087
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
194.225.58.214:443
211.110.44.63:5353
69.164.207.140:3388
198.57.200.100:3786
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1504-3-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr behavioral2/memory/1504-5-0x0000000000400000-0x0000000000475000-memory.dmp dridex_ldr -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 644 wrote to memory of 1504 644 regsvr32.exe regsvr32.exe PID 644 wrote to memory of 1504 644 regsvr32.exe regsvr32.exe PID 644 wrote to memory of 1504 644 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1b870dab19a3650ab790037ae327b7cb.bin.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1b870dab19a3650ab790037ae327b7cb.bin.dll2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-2-0x0000000000000000-mapping.dmp
-
memory/1504-3-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1504-5-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/1504-4-0x0000000003200000-0x0000000003201000-memory.dmpFilesize
4KB