Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
fjokw7.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
fjokw7.dll
-
Size
538KB
-
MD5
8f83a5eaed1994d1a87fa16d77ad7833
-
SHA1
0f3da89a227960d1a87065f02428857c32a39b89
-
SHA256
67c1e48e17bc9e35b50e642ac99e475e1a6faee03ca671cea409bed644287580
-
SHA512
25d0a2c0f3d2885ce3f21a26f7a8b9e1e75aec5cc69f42dc4f9314805e900dd5f0f9149cee750489bb6aeac06dfdf2b7dd15d6fbfeab08c25d183d64257188ad
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
77.220.64.146:443
85.25.134.43:8172
213.208.134.178:6516
rc4.plain
rc4.plain
Signatures
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3FBC1592-8F5C-446C-B164-2047D55D59F7}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{40E78704-1E10-4347-B4ED-6425C2EB7708}.catalogItem svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3792 wrote to memory of 3736 3792 regsvr32.exe regsvr32.exe PID 3792 wrote to memory of 3736 3792 regsvr32.exe regsvr32.exe PID 3792 wrote to memory of 3736 3792 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\fjokw7.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\fjokw7.dll2⤵PID:3736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:3732
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3736-130-0x0000000000000000-mapping.dmp
-
memory/3736-132-0x0000000074BC0000-0x0000000074C58000-memory.dmpFilesize
608KB
-
memory/3736-131-0x0000000074BC0000-0x0000000074BFD000-memory.dmpFilesize
244KB
-
memory/3736-134-0x0000000074BC0000-0x0000000074C58000-memory.dmpFilesize
608KB