Analysis
-
max time kernel
120s -
max time network
120s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
89b7c487153fde5e805033c42513b1e4.dll
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
89b7c487153fde5e805033c42513b1e4.dll
-
Size
750KB
-
MD5
89b7c487153fde5e805033c42513b1e4
-
SHA1
08e546126c76ecdf75bdc1d4b4021d27c6887c80
-
SHA256
13f68a7bce85a8f2866de99893398a8f46bd0f0650b687e20489e8d01d1f9d4c
-
SHA512
1ed20ac7827935626d13eeee6dc10ef758ffae7a86740143b1485405c769ea40d9dd116ddd53f0077faa163736d1bdd20d18e4c2f133e0f657cfb7eb62b6bfdb
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1608 rundll32.exe 6 1608 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1424 wrote to memory of 1608 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1608 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1608 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1608 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1608 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1608 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1608 1424 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89b7c487153fde5e805033c42513b1e4.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89b7c487153fde5e805033c42513b1e4.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1608-55-0x0000000000000000-mapping.dmp
-
memory/1608-56-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1608-57-0x0000000074A10000-0x0000000074AD9000-memory.dmpFilesize
804KB
-
memory/1608-58-0x0000000074A10000-0x0000000074A4D000-memory.dmpFilesize
244KB
-
memory/1608-59-0x0000000074A10000-0x0000000074AD9000-memory.dmpFilesize
804KB
-
memory/1608-61-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB