Analysis
-
max time kernel
118s -
max time network
133s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
5cd4988de59920aebbb8503a1c1f5058.dll
Resource
win7-en-20210920
0 signatures
0 seconds
General
-
Target
5cd4988de59920aebbb8503a1c1f5058.dll
-
Size
750KB
-
MD5
5cd4988de59920aebbb8503a1c1f5058
-
SHA1
37535808336626f0c720c6dce501235fbbfc3905
-
SHA256
9352fd60d126b587679562be46c2c8b9912974cf25ea8915a48ea76f9784f372
-
SHA512
19f464658f22d3d27ac60cc8f546cd49a06c3409be5c2a4f18fa9ace7131b5153a6e3e8ce071ad86dc7474f30e270cb141b9b1c03443761f803a70f76dd35afd
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1196 rundll32.exe 6 1196 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 756 wrote to memory of 1196 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1196 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1196 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1196 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1196 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1196 756 rundll32.exe rundll32.exe PID 756 wrote to memory of 1196 756 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cd4988de59920aebbb8503a1c1f5058.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cd4988de59920aebbb8503a1c1f5058.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1196-54-0x0000000000000000-mapping.dmp
-
memory/1196-55-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB
-
memory/1196-56-0x0000000075040000-0x0000000075109000-memory.dmpFilesize
804KB
-
memory/1196-57-0x0000000075040000-0x000000007507D000-memory.dmpFilesize
244KB
-
memory/1196-58-0x0000000075040000-0x0000000075109000-memory.dmpFilesize
804KB
-
memory/1196-60-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB