Analysis
-
max time kernel
49s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-02-2021 16:50
Static task
static1
General
-
Target
642ab82c74a436b00f64a17174e23f40a64b721b6128e80a70e3cbffc7d3424a.dll
-
Size
371KB
-
MD5
1b870dab19a3650ab790037ae327b7cb
-
SHA1
3fd3d813417c0872d1a1374439351dd53500a024
-
SHA256
642ab82c74a436b00f64a17174e23f40a64b721b6128e80a70e3cbffc7d3424a
-
SHA512
707779597690d2178622be05956a2bf49456dd63f70cfba6e03971fdcb4179e754d3a1a725dd08768c8bd91333e1e3d113e791b726ed198b2c7b6175bd4f5087
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
194.225.58.214:443
211.110.44.63:5353
69.164.207.140:3388
198.57.200.100:3786
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1904-5-0x0000000000840000-0x000000000087D000-memory.dmp dridex_ldr behavioral1/memory/1904-7-0x0000000000840000-0x00000000008B5000-memory.dmp dridex_ldr -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1096 wrote to memory of 1904 1096 regsvr32.exe regsvr32.exe PID 1096 wrote to memory of 1904 1096 regsvr32.exe regsvr32.exe PID 1096 wrote to memory of 1904 1096 regsvr32.exe regsvr32.exe PID 1096 wrote to memory of 1904 1096 regsvr32.exe regsvr32.exe PID 1096 wrote to memory of 1904 1096 regsvr32.exe regsvr32.exe PID 1096 wrote to memory of 1904 1096 regsvr32.exe regsvr32.exe PID 1096 wrote to memory of 1904 1096 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\642ab82c74a436b00f64a17174e23f40a64b721b6128e80a70e3cbffc7d3424a.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\642ab82c74a436b00f64a17174e23f40a64b721b6128e80a70e3cbffc7d3424a.dll2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-2-0x000007FEFBBB1000-0x000007FEFBBB3000-memory.dmpFilesize
8KB
-
memory/1632-8-0x000007FEF7500000-0x000007FEF777A000-memory.dmpFilesize
2.5MB
-
memory/1904-3-0x0000000000000000-mapping.dmp
-
memory/1904-4-0x0000000075301000-0x0000000075303000-memory.dmpFilesize
8KB
-
memory/1904-5-0x0000000000840000-0x000000000087D000-memory.dmpFilesize
244KB
-
memory/1904-6-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1904-7-0x0000000000840000-0x00000000008B5000-memory.dmpFilesize
468KB