Analysis
-
max time kernel
91s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 16:55
General
-
Target
q9ypuhl3.dll
-
Size
576KB
-
MD5
029c4b7edb22ac490cb6579e01fc341b
-
SHA1
c8db490c03efd8de9d41d2bca72078a1bfa21e5d
-
SHA256
c65243e51ddff712ffe22c8251980cb60c6b4d067074abe23695d2aeb7bf99f9
-
SHA512
fc0bdab89e6f576a6bb0d1064a91c0094b35cb490c0d06a52032572d1e2bf00329fd74e86a46962432ce73dba46b52dfd60111ab3c564f99bc14a731826e1741
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
77.220.64.131:443
5.196.204.251:5037
192.99.41.136:981
24.229.3.146:4664
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Blocklisted process makes network request 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\q9ypuhl3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\q9ypuhl3.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4112-130-0x0000000000000000-mapping.dmp
-
memory/4112-131-0x00000000008D0000-0x000000000096A000-memory.dmpFilesize
616KB
-
memory/4112-133-0x00000000008D0000-0x000000000096A000-memory.dmpFilesize
616KB
-
memory/4112-132-0x00000000008D0000-0x000000000090D000-memory.dmpFilesize
244KB
-
memory/4112-135-0x00000000008D1000-0x000000000094A000-memory.dmpFilesize
484KB
-
memory/4112-137-0x00000000008D0000-0x000000000096A000-memory.dmpFilesize
616KB
-
memory/4112-138-0x00000000008D0000-0x000000000096A000-memory.dmpFilesize
616KB