Analysis
-
max time kernel
92s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
r6x7x6rf.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
r6x7x6rf.dll
-
Size
864KB
-
MD5
d51dfce479bc8731a7489fabec3538c6
-
SHA1
4c45a11b9d18b243d5f7c9183cf316e6d545212d
-
SHA256
c83b1f21b3c13741c8047162999e5c60b7360342713f095719b22837eae0b01d
-
SHA512
f30007eb503775c908a2b4406f5c763257cf28c5935f7d9b74fab532ba299447e5c11470beb1fbfa773b92b92011e10b87948f91e715c60ac08517d808d48e57
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
131.100.24.192:443
103.6.213.203:6601
46.41.130.218:2303
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 832 rundll32.exe 5 832 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1812 wrote to memory of 832 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 832 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 832 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 832 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 832 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 832 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 832 1812 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\r6x7x6rf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\r6x7x6rf.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/832-54-0x0000000000000000-mapping.dmp
-
memory/832-55-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/832-56-0x0000000001E80000-0x0000000001F70000-memory.dmpFilesize
960KB
-
memory/832-58-0x0000000001E80000-0x0000000001F70000-memory.dmpFilesize
960KB
-
memory/832-57-0x0000000001E80000-0x0000000001EBD000-memory.dmpFilesize
244KB
-
memory/832-60-0x0000000001E80000-0x0000000001F70000-memory.dmpFilesize
960KB
-
memory/832-61-0x0000000001E80000-0x0000000001F70000-memory.dmpFilesize
960KB