Analysis
-
max time kernel
119s -
max time network
124s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
43a7af68ffc6179746706607b89fc996.dll
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
43a7af68ffc6179746706607b89fc996.dll
-
Size
750KB
-
MD5
43a7af68ffc6179746706607b89fc996
-
SHA1
706cef2b7cd473da26b35306dd3e5533741d603e
-
SHA256
49c48ee0386bb21cfc39effe5a7e6f06398921ffda0f65864d66ae883808731c
-
SHA512
83c1e5ab86aab3ad5f1d9b76ae382f675a41138ce2b8e5277461c751d333fb3dca01d371411506ebd1aed1ff6e97861ab85aa487f1efca511223392bd6cfe632
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1668 rundll32.exe 6 1668 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1704 wrote to memory of 1668 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1668 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1668 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1668 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1668 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1668 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1668 1704 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43a7af68ffc6179746706607b89fc996.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43a7af68ffc6179746706607b89fc996.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1668-55-0x0000000000000000-mapping.dmp
-
memory/1668-56-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1668-57-0x0000000074B30000-0x0000000074BF9000-memory.dmpFilesize
804KB
-
memory/1668-58-0x0000000074B30000-0x0000000074B6D000-memory.dmpFilesize
244KB
-
memory/1668-59-0x0000000074B30000-0x0000000074BF9000-memory.dmpFilesize
804KB
-
memory/1668-61-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB