Analysis
-
max time kernel
117s -
max time network
127s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
2eb65a8ce173d88e886f8333c300c92f.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
2eb65a8ce173d88e886f8333c300c92f.dll
-
Size
750KB
-
MD5
2eb65a8ce173d88e886f8333c300c92f
-
SHA1
8e58167cab24be18c890420f8c5f3b77f21ce465
-
SHA256
260eb41d6b91067463a91d3adfe632e8a894c2a42fbb2c0b03b0860964c7bff8
-
SHA512
3396498de9270a223cfb7319b5d201aee38a5444c8b616e56ec1de6715d2e1f05a9a464452b204ddad9bc59380026e14346a8c60b03db347bc4a92dd01b81715
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1248 rundll32.exe 6 1248 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1452 wrote to memory of 1248 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1248 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1248 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1248 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1248 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1248 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1248 1452 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb65a8ce173d88e886f8333c300c92f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb65a8ce173d88e886f8333c300c92f.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1248-54-0x0000000000000000-mapping.dmp
-
memory/1248-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1248-56-0x0000000074E00000-0x0000000074EC9000-memory.dmpFilesize
804KB
-
memory/1248-57-0x0000000074E00000-0x0000000074E3D000-memory.dmpFilesize
244KB
-
memory/1248-58-0x0000000074E00000-0x0000000074EC9000-memory.dmpFilesize
804KB
-
memory/1248-60-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB