Analysis
-
max time kernel
51s -
max time network
59s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-03-2021 13:54
Static task
static1
General
-
Target
20c5c02873f69ec0ad6b8c1470d90a3f3a350ebb1de0cd957e820663eff20baf.dll
-
Size
168KB
-
MD5
3f0cf83ea4ecd9c97eb4b605d586bd7c
-
SHA1
b233ca947f52d7795502d7e7d32760827cca4dd9
-
SHA256
20c5c02873f69ec0ad6b8c1470d90a3f3a350ebb1de0cd957e820663eff20baf
-
SHA512
a961482a1fa96db7110724401ee6394a56d7ffdc015627337792fb193f09aeb6978fe2964e6e5dce3e62f15d0c957f8253742e809062e4aec7c104e8e7251105
Malware Config
Extracted
Family
dridex
Botnet
111
C2
173.203.78.138:443
217.160.107.189:6601
77.220.64.150:5037
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1960-4-0x0000000075320000-0x000000007534C000-memory.dmp dridex_ldr behavioral1/memory/1960-6-0x0000000075320000-0x000000007533F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 1960 rundll32.exe 7 1960 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1656 wrote to memory of 1960 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1960 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1960 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1960 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1960 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1960 1656 rundll32.exe rundll32.exe PID 1656 wrote to memory of 1960 1656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20c5c02873f69ec0ad6b8c1470d90a3f3a350ebb1de0cd957e820663eff20baf.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20c5c02873f69ec0ad6b8c1470d90a3f3a350ebb1de0cd957e820663eff20baf.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1528-7-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmpFilesize
2.5MB
-
memory/1960-2-0x0000000000000000-mapping.dmp
-
memory/1960-3-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1960-4-0x0000000075320000-0x000000007534C000-memory.dmpFilesize
176KB
-
memory/1960-5-0x00000000001E0000-0x00000000001E6000-memory.dmpFilesize
24KB
-
memory/1960-6-0x0000000075320000-0x000000007533F000-memory.dmpFilesize
124KB