Analysis
-
max time kernel
91s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 16:36
Static task
static1
Behavioral task
behavioral1
Sample
h0pr8ad8y.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
h0pr8ad8y.dll
-
Size
1.0MB
-
MD5
e89d3eb135ec079aeede207b2f096014
-
SHA1
9278bb8b1d6e5fc2e509d3efacb2efe77a4ec93f
-
SHA256
a6165037e61807f6eb845bf9fae546bb9290685335c0ed50e6102ca9857e5fe9
-
SHA512
666a13c7eadb52d43410791fb46ea92fe017d416f8347ed3c749a95ca257b43dd251bf12705b45287e8fc52979d8e54569d97d98a670ae46ca9201eb5e29c239
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 23 2008 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 5012 wrote to memory of 2008 5012 rundll32.exe rundll32.exe PID 5012 wrote to memory of 2008 5012 rundll32.exe rundll32.exe PID 5012 wrote to memory of 2008 5012 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\h0pr8ad8y.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\h0pr8ad8y.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:2008