Analysis
-
max time kernel
118s -
max time network
121s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
7912f4bdf9b0f73f39462fd29536a3be.dll
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
7912f4bdf9b0f73f39462fd29536a3be.dll
-
Size
750KB
-
MD5
7912f4bdf9b0f73f39462fd29536a3be
-
SHA1
c50a63b068c3d16b81c66ad6ebc36f9b50b67916
-
SHA256
0bbf8dcb9ab6e8e50f127aa485186f8e75cc7428b9f2d5aa0a98ab35690988f5
-
SHA512
7c887db4f835fd1445a599f0e790a625b504dfaa417fb0f40bc064d93fec1ac96289c86503821ce66f8f666582e8d52af5b329d89242a4b9cf12a6886299738b
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 532 rundll32.exe 6 532 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1788 wrote to memory of 532 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 532 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 532 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 532 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 532 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 532 1788 rundll32.exe rundll32.exe PID 1788 wrote to memory of 532 1788 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7912f4bdf9b0f73f39462fd29536a3be.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7912f4bdf9b0f73f39462fd29536a3be.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-55-0x0000000000000000-mapping.dmp
-
memory/532-56-0x0000000076431000-0x0000000076433000-memory.dmpFilesize
8KB
-
memory/532-57-0x00000000748F0000-0x00000000749B9000-memory.dmpFilesize
804KB
-
memory/532-58-0x00000000748F0000-0x000000007492D000-memory.dmpFilesize
244KB
-
memory/532-59-0x00000000748F0000-0x00000000749B9000-memory.dmpFilesize
804KB
-
memory/532-61-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB