Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-03-2021 21:05
Static task
static1
Behavioral task
behavioral1
Sample
9c3e327c612a7837cb64f76e343f08bf572dced5dbc663f2efcc4e4c9d4eb13c.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
9c3e327c612a7837cb64f76e343f08bf572dced5dbc663f2efcc4e4c9d4eb13c.dll
-
Size
196KB
-
MD5
255fbf3507a9f3683cd2f2cce7f239ea
-
SHA1
6ab18898a66be59f9fe4c1309f4945d9220dff1b
-
SHA256
9c3e327c612a7837cb64f76e343f08bf572dced5dbc663f2efcc4e4c9d4eb13c
-
SHA512
f096c15b23ad15349dfdeebb1f7d84bf7584b0b39ff78806ba2b90e58f62493fb986d1f5dbde9d50f59171c7d60d8b6f6d53358187f020e87ccb440b917449cc
Malware Config
Extracted
Family
dridex
Botnet
111
C2
37.247.35.132:443
50.243.30.51:6601
162.241.204.234:6516
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2188-3-0x0000000074000000-0x0000000074033000-memory.dmp dridex_ldr behavioral2/memory/2188-5-0x0000000074000000-0x000000007401F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 14 2188 rundll32.exe 16 2188 rundll32.exe 17 2188 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3928 wrote to memory of 2188 3928 rundll32.exe rundll32.exe PID 3928 wrote to memory of 2188 3928 rundll32.exe rundll32.exe PID 3928 wrote to memory of 2188 3928 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c3e327c612a7837cb64f76e343f08bf572dced5dbc663f2efcc4e4c9d4eb13c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c3e327c612a7837cb64f76e343f08bf572dced5dbc663f2efcc4e4c9d4eb13c.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:2188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2188-2-0x0000000000000000-mapping.dmp
-
memory/2188-3-0x0000000074000000-0x0000000074033000-memory.dmpFilesize
204KB
-
memory/2188-4-0x0000000002A50000-0x0000000002A56000-memory.dmpFilesize
24KB
-
memory/2188-5-0x0000000074000000-0x000000007401F000-memory.dmpFilesize
124KB