Analysis
-
max time kernel
60s -
max time network
62s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-02-2021 18:25
Static task
static1
General
-
Target
f045bc5d0dc4890be3163fa236c403dab3d444e92fd5ddc0356dbf3f25f829af.dll
-
Size
830KB
-
MD5
8c1c54884b90c015330ef19c0cb0a4fc
-
SHA1
e222675107a78e19648479a3a994f63fcc58f2a2
-
SHA256
f045bc5d0dc4890be3163fa236c403dab3d444e92fd5ddc0356dbf3f25f829af
-
SHA512
bf4cbee52dfe8c7dd5ab33a8b8e121d9d9cc92b2ebf720026dc3dd4e48f16bb8a5c0970cf7a4dc18b547c3ed4632ae48b1628f46c85436d0dc947baaf886b4e3
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
146.164.126.197:443
69.16.193.166:9443
193.90.12.122:3098
157.245.103.132:14043
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1920-4-0x0000000073F00000-0x0000000073F3A000-memory.dmp dridex_ldr behavioral1/memory/1920-5-0x0000000073F00000-0x0000000073F3A000-memory.dmp dridex_ldr -
Processes:
resource yara_rule behavioral1/memory/1920-4-0x0000000073F00000-0x0000000073F3A000-memory.dmp dridex_ldr_dmod behavioral1/memory/1920-5-0x0000000073F00000-0x0000000073F3A000-memory.dmp dridex_ldr_dmod -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 6 1920 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1108 wrote to memory of 1920 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1920 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1920 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1920 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1920 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1920 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1920 1108 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f045bc5d0dc4890be3163fa236c403dab3d444e92fd5ddc0356dbf3f25f829af.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f045bc5d0dc4890be3163fa236c403dab3d444e92fd5ddc0356dbf3f25f829af.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1452-7-0x000007FEF7510000-0x000007FEF778A000-memory.dmpFilesize
2.5MB
-
memory/1920-2-0x0000000000000000-mapping.dmp
-
memory/1920-3-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB
-
memory/1920-4-0x0000000073F00000-0x0000000073F3A000-memory.dmpFilesize
232KB
-
memory/1920-5-0x0000000073F00000-0x0000000073F3A000-memory.dmpFilesize
232KB
-
memory/1920-6-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB