Analysis
-
max time kernel
130s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 16:44
Static task
static1
Behavioral task
behavioral1
Sample
kotv5chb.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
kotv5chb.dll
-
Size
1.0MB
-
MD5
731544128fa736287d64a569b9ba108a
-
SHA1
1fdd7e0f4eed7e8cf7856515dd7c487694aa963e
-
SHA256
e63095be2fa1b8110b1ff04df2403b6d98424ca39862f777b1998d2002fb640e
-
SHA512
db0138ca7263be7ed608cd4a3dc0da75d7e2f54ebf979bf9daa4ce990e4c7c468f25e3e61154becd3c09d05c5c166578106d871cd49e09913d46db8e2d0e35e3
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 17 2428 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1348 wrote to memory of 2428 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 2428 1348 rundll32.exe rundll32.exe PID 1348 wrote to memory of 2428 1348 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\kotv5chb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\kotv5chb.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2428-130-0x0000000000000000-mapping.dmp
-
memory/2428-131-0x0000000074C70000-0x0000000074D8B000-memory.dmpFilesize
1.1MB
-
memory/2428-132-0x0000000074C70000-0x0000000074CAD000-memory.dmpFilesize
244KB
-
memory/2428-133-0x0000000074C70000-0x0000000074D8B000-memory.dmpFilesize
1.1MB
-
memory/2428-135-0x0000000074C70000-0x0000000074D8B000-memory.dmpFilesize
1.1MB