Analysis
-
max time kernel
44s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 16:51
Static task
static1
Behavioral task
behavioral1
Sample
og27ksp6.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
og27ksp6.dll
-
Size
1.0MB
-
MD5
f6513fd9bb92c2eecb2bee88d7a221a3
-
SHA1
f2358c1c65a3d76fdd29018c76915971fe91ee5b
-
SHA256
4850bb885ea9c2266d592c33de4e326555cee54156978afbc846f75836b991ae
-
SHA512
204948b212553665e4b31169f5bafe500cc5735af1da05fa722d26b4ea76cf2c004b7a36488936b873c83bfd34c59e8acd623922306a4c851b5a306c8ef3766e
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1688 rundll32.exe 5 1688 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 904 wrote to memory of 1688 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1688 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1688 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1688 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1688 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1688 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1688 904 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\og27ksp6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\og27ksp6.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:1688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-54-0x0000000000000000-mapping.dmp
-
memory/1688-55-0x00000000751C1000-0x00000000751C3000-memory.dmpFilesize
8KB
-
memory/1688-56-0x0000000074640000-0x000000007475B000-memory.dmpFilesize
1.1MB
-
memory/1688-58-0x0000000074640000-0x000000007475B000-memory.dmpFilesize
1.1MB
-
memory/1688-57-0x0000000074640000-0x000000007467D000-memory.dmpFilesize
244KB
-
memory/1688-60-0x0000000074640000-0x000000007475B000-memory.dmpFilesize
1.1MB
-
memory/1688-61-0x0000000074640000-0x000000007475B000-memory.dmpFilesize
1.1MB