Analysis
-
max time kernel
125s -
max time network
126s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
4c8c21c4c4113bc5efe3d80486b4e924.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
4c8c21c4c4113bc5efe3d80486b4e924.dll
-
Size
750KB
-
MD5
4c8c21c4c4113bc5efe3d80486b4e924
-
SHA1
8415c8a41dbadf1ef05c7119173f4867a8e8446d
-
SHA256
6686210968e45d977fb581b5a43b052ae4af68cf3aec55a2cc234998f1194ba9
-
SHA512
2a9a7284bbee89a75f11a436466cf71ca80d642f7d09e682a181861fdd328ba92955fbe3ee94eff4c8f3f59cbea69bc0d8bcc0d2208a8c5ea7cc1c100266c5ed
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 26 2828 rundll32.exe 27 2828 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2820 wrote to memory of 2828 2820 rundll32.exe rundll32.exe PID 2820 wrote to memory of 2828 2820 rundll32.exe rundll32.exe PID 2820 wrote to memory of 2828 2820 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c8c21c4c4113bc5efe3d80486b4e924.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c8c21c4c4113bc5efe3d80486b4e924.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:2828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2828-115-0x0000000000000000-mapping.dmp
-
memory/2828-116-0x0000000073750000-0x0000000073819000-memory.dmpFilesize
804KB
-
memory/2828-117-0x0000000073750000-0x000000007378D000-memory.dmpFilesize
244KB
-
memory/2828-118-0x0000000073750000-0x0000000073819000-memory.dmpFilesize
804KB
-
memory/2828-120-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB
-
memory/2828-121-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB
-
memory/2828-122-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB
-
memory/2828-510-0x0000000003130000-0x0000000003131000-memory.dmpFilesize
4KB