Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
r6x7x6rf.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
r6x7x6rf.dll
-
Size
864KB
-
MD5
d51dfce479bc8731a7489fabec3538c6
-
SHA1
4c45a11b9d18b243d5f7c9183cf316e6d545212d
-
SHA256
c83b1f21b3c13741c8047162999e5c60b7360342713f095719b22837eae0b01d
-
SHA512
f30007eb503775c908a2b4406f5c763257cf28c5935f7d9b74fab532ba299447e5c11470beb1fbfa773b92b92011e10b87948f91e715c60ac08517d808d48e57
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
131.100.24.192:443
103.6.213.203:6601
46.41.130.218:2303
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 15 2540 rundll32.exe 17 2540 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3164 wrote to memory of 2540 3164 rundll32.exe rundll32.exe PID 3164 wrote to memory of 2540 3164 rundll32.exe rundll32.exe PID 3164 wrote to memory of 2540 3164 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\r6x7x6rf.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\r6x7x6rf.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2540-130-0x0000000000000000-mapping.dmp
-
memory/2540-131-0x0000000002280000-0x0000000002370000-memory.dmpFilesize
960KB
-
memory/2540-133-0x0000000002280000-0x0000000002370000-memory.dmpFilesize
960KB
-
memory/2540-132-0x0000000002280000-0x00000000022BD000-memory.dmpFilesize
244KB
-
memory/2540-135-0x0000000002281000-0x000000000230C000-memory.dmpFilesize
556KB
-
memory/2540-137-0x0000000002280000-0x0000000002370000-memory.dmpFilesize
960KB
-
memory/2540-138-0x0000000002280000-0x0000000002370000-memory.dmpFilesize
960KB