Analysis
-
max time kernel
53s -
max time network
62s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 22:06
Static task
static1
General
-
Target
cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0.dll
-
Size
196KB
-
MD5
dd76f4cb0ba5e0b4bbbce3e1039631dc
-
SHA1
390b2c808937b4bf28c7d3589737b95f6a9030c8
-
SHA256
cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0
-
SHA512
42d94e4a15cac0ac2fd9c0a1fb5a72bfaf8ddb59f0362c6af8445e08be37772cffae3ac6dbbf222df189161c1f0444e01c7075b008d62315d74a1f80da5400e2
Malware Config
Extracted
Family
dridex
Botnet
111
C2
37.247.35.132:443
50.243.30.51:6601
162.241.204.234:6516
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1812-4-0x00000000746D0000-0x0000000074703000-memory.dmp dridex_ldr behavioral1/memory/1812-6-0x00000000746D0000-0x00000000746EF000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 5 1812 rundll32.exe 7 1812 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1044 wrote to memory of 1812 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 1812 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 1812 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 1812 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 1812 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 1812 1044 rundll32.exe rundll32.exe PID 1044 wrote to memory of 1812 1044 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd44b8b3e980585d428b6a3faa16b7a52c96019f6afa06da00400551c87155e0.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1616-7-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmpFilesize
2.5MB
-
memory/1812-2-0x0000000000000000-mapping.dmp
-
memory/1812-3-0x00000000760A1000-0x00000000760A3000-memory.dmpFilesize
8KB
-
memory/1812-4-0x00000000746D0000-0x0000000074703000-memory.dmpFilesize
204KB
-
memory/1812-5-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/1812-6-0x00000000746D0000-0x00000000746EF000-memory.dmpFilesize
124KB