Analysis
-
max time kernel
96s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
q9ypuhl3.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
q9ypuhl3.dll
-
Size
576KB
-
MD5
029c4b7edb22ac490cb6579e01fc341b
-
SHA1
c8db490c03efd8de9d41d2bca72078a1bfa21e5d
-
SHA256
c65243e51ddff712ffe22c8251980cb60c6b4d067074abe23695d2aeb7bf99f9
-
SHA512
fc0bdab89e6f576a6bb0d1064a91c0094b35cb490c0d06a52032572d1e2bf00329fd74e86a46962432ce73dba46b52dfd60111ab3c564f99bc14a731826e1741
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
77.220.64.131:443
5.196.204.251:5037
192.99.41.136:981
24.229.3.146:4664
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1824 rundll32.exe 5 1824 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1980 wrote to memory of 1824 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1824 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1824 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1824 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1824 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1824 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1824 1980 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\q9ypuhl3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\q9ypuhl3.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1824-54-0x0000000000000000-mapping.dmp
-
memory/1824-55-0x00000000768D1000-0x00000000768D3000-memory.dmpFilesize
8KB
-
memory/1824-56-0x00000000006F0000-0x000000000078A000-memory.dmpFilesize
616KB
-
memory/1824-58-0x00000000006F0000-0x000000000078A000-memory.dmpFilesize
616KB
-
memory/1824-57-0x00000000006F0000-0x000000000072D000-memory.dmpFilesize
244KB
-
memory/1824-60-0x00000000006F0000-0x000000000078A000-memory.dmpFilesize
616KB
-
memory/1824-61-0x00000000006F0000-0x000000000078A000-memory.dmpFilesize
616KB