Analysis
-
max time kernel
66s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 16:47
Static task
static1
Behavioral task
behavioral1
Sample
m2st428.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
m2st428.dll
-
Size
1.0MB
-
MD5
707a7a0945a99cbe9c542566c79ca006
-
SHA1
fcc6984d14ca28719c514f71c12aa77dde9fe4b3
-
SHA256
7f40daf140f16c6a6d70eee101a08640b0f301a8c224fdac5254b5b71e62eb8d
-
SHA512
61144cf4602f78aefc137bf9d8ae7002c784d22bc9ad5b8a0449c8e5ac83b158d0d2e6bbb56114a8d61f1b2a37919946a361e49d5a6fc18078bb78ce2ed8a41a
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1984 rundll32.exe 5 1984 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2008 wrote to memory of 1984 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1984 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1984 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1984 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1984 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1984 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1984 2008 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\m2st428.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\m2st428.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1984-54-0x0000000000000000-mapping.dmp
-
memory/1984-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB
-
memory/1984-56-0x00000000752A0000-0x00000000753BB000-memory.dmpFilesize
1.1MB
-
memory/1984-58-0x00000000752A0000-0x00000000753BB000-memory.dmpFilesize
1.1MB
-
memory/1984-57-0x00000000752A0000-0x00000000752DD000-memory.dmpFilesize
244KB
-
memory/1984-60-0x00000000752A0000-0x00000000753BB000-memory.dmpFilesize
1.1MB
-
memory/1984-61-0x00000000752A0000-0x00000000753BB000-memory.dmpFilesize
1.1MB