Analysis

  • max time kernel
    96s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-06-2022 16:34

General

  • Target

    fjokw7.dll

  • Size

    538KB

  • MD5

    8f83a5eaed1994d1a87fa16d77ad7833

  • SHA1

    0f3da89a227960d1a87065f02428857c32a39b89

  • SHA256

    67c1e48e17bc9e35b50e642ac99e475e1a6faee03ca671cea409bed644287580

  • SHA512

    25d0a2c0f3d2885ce3f21a26f7a8b9e1e75aec5cc69f42dc4f9314805e900dd5f0f9149cee750489bb6aeac06dfdf2b7dd15d6fbfeab08c25d183d64257188ad

Score
10/10

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

77.220.64.146:443

85.25.134.43:8172

213.208.134.178:6516

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fjokw7.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\fjokw7.dll
      2⤵
        PID:1828

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1356-54-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

      Filesize

      8KB

    • memory/1828-55-0x0000000000000000-mapping.dmp

    • memory/1828-56-0x0000000076191000-0x0000000076193000-memory.dmp

      Filesize

      8KB

    • memory/1828-58-0x00000000745C0000-0x0000000074658000-memory.dmp

      Filesize

      608KB

    • memory/1828-57-0x00000000745C0000-0x00000000745FD000-memory.dmp

      Filesize

      244KB

    • memory/1828-60-0x00000000745C0000-0x0000000074658000-memory.dmp

      Filesize

      608KB

    • memory/1828-61-0x00000000745C0000-0x0000000074658000-memory.dmp

      Filesize

      608KB