Analysis
-
max time kernel
47s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 16:17
Static task
static1
Behavioral task
behavioral1
Sample
a3et6u5dw.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
a3et6u5dw.dll
-
Size
1.0MB
-
MD5
11ff45c66f3e348e6a917727bba8f5a3
-
SHA1
c283ad51b6fac72e7adfbeda17c7e40b8d58bda0
-
SHA256
661f043e901c0ec7151745e977fc7cc438d979aaee85ce3dbd955b0d2d95d36e
-
SHA512
76ae5f1a64f17feaeb718af3fdba906bbeac68e8063ac03facb59af31b8df4fc87c8daf6718d53010d8c97065250a1b31773fb229a445bf1f7fe3836217ef44a
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1944 rundll32.exe 4 1944 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1936 wrote to memory of 1944 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1944 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1944 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1944 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1944 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1944 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1944 1936 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3et6u5dw.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3et6u5dw.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:1944