Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-06-2022 16:30

General

  • Target

    dyh3tb9j.dll

  • Size

    497KB

  • MD5

    ea17e483833d1d1b26babad280b6f7cd

  • SHA1

    ffd61dddb0607a6a12e9f58b50185be7998f7e39

  • SHA256

    db8945a793ea1bd94eb1aa3e3e14e84da66b3048f4a86e814e6d0f8dd5c8c276

  • SHA512

    7d2add1d53aa7d84ef2e223d5ef8b27ff8f7d5847a27407fed5d0d9cffd3a64bc6ebc41b8b6000d92f077ab7908f940963bdbafe6bb817131dc9ce78d3b2f95e

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

178.128.83.165:443

128.199.59.13:8172

110.164.184.226:6516

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Blocklisted process makes network request 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dyh3tb9j.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dyh3tb9j.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Checks whether UAC is enabled
      PID:3140

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3140-130-0x0000000000000000-mapping.dmp

  • memory/3140-132-0x00000000753C0000-0x0000000075453000-memory.dmp

    Filesize

    588KB

  • memory/3140-131-0x00000000753C0000-0x00000000753FD000-memory.dmp

    Filesize

    244KB

  • memory/3140-134-0x00000000753C0000-0x0000000075453000-memory.dmp

    Filesize

    588KB