Analysis
-
max time kernel
96s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 16:56
General
-
Target
rayzhd.dll
-
Size
664KB
-
MD5
f95adad3ef40acfd27ab6863fd3c2508
-
SHA1
4edede712e418838f20876fd492ca48c7467a67c
-
SHA256
99435f6e7cbf300f5d8d18e31f3a1b6ed70fdca596a4cc895f96558813a0feac
-
SHA512
229ab416256bc01f26db6a58479b4b29a8285d17d822d40988bc96ce9315abce88652b75d7ff3440266a302dc8c3961356a33bdda112d169d0613a4d08132ac9
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10222
C2
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Blocklisted process makes network request 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rayzhd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rayzhd.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1192-130-0x0000000000000000-mapping.dmp
-
memory/1192-131-0x0000000001FD0000-0x000000000210C000-memory.dmpFilesize
1.2MB
-
memory/1192-133-0x0000000001FD0000-0x000000000210C000-memory.dmpFilesize
1.2MB
-
memory/1192-135-0x0000000001FD0000-0x000000000210C000-memory.dmpFilesize
1.2MB
-
memory/1192-134-0x0000000001FD0000-0x000000000200D000-memory.dmpFilesize
244KB
-
memory/1192-138-0x0000000001FD0000-0x000000000210C000-memory.dmpFilesize
1.2MB