Analysis
-
max time kernel
39s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-04-2021 18:04
Static task
static1
Behavioral task
behavioral1
Sample
4109f894deca301629b0e7895a37630dedf9f595dd99777d99fbe96454864752.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
4109f894deca301629b0e7895a37630dedf9f595dd99777d99fbe96454864752.dll
-
Size
923KB
-
MD5
a14bcdc32c2a0ff2b0e3047d95bdb4a7
-
SHA1
59006c8bd58d371f66b8d382ed1e0b55bedce274
-
SHA256
4109f894deca301629b0e7895a37630dedf9f595dd99777d99fbe96454864752
-
SHA512
75e59153e9622714bdd7d9d7a5b8befbb509c731d1d12f79a23fe7d498114754966e56255a58f882c7717eedef3232d9de7f3ab08ef2d64f829fac6478f1da64
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
146.185.170.249:443
62.75.251.60:6601
185.148.168.25:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/900-115-0x00000000737C0000-0x00000000737FD000-memory.dmp dridex_ldr behavioral2/memory/900-116-0x00000000737C0000-0x00000000738C0000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 20 900 rundll32.exe 22 900 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3008 wrote to memory of 900 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 900 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 900 3008 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4109f894deca301629b0e7895a37630dedf9f595dd99777d99fbe96454864752.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4109f894deca301629b0e7895a37630dedf9f595dd99777d99fbe96454864752.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-114-0x0000000000000000-mapping.dmp
-
memory/900-115-0x00000000737C0000-0x00000000737FD000-memory.dmpFilesize
244KB
-
memory/900-116-0x00000000737C0000-0x00000000738C0000-memory.dmpFilesize
1024KB
-
memory/900-179-0x0000000002AF0000-0x0000000002AF1000-memory.dmpFilesize
4KB