Analysis
-
max time kernel
40s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
raw0rbp9s.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
raw0rbp9s.dll
-
Size
311KB
-
MD5
af7dde49c27f97cd77b03a8ace70beea
-
SHA1
daafa2be3a79192b311774db9bc7123a6040825f
-
SHA256
163fe3e1545012147aeca9c14a90a0d7f52f624f664d8365052657a76fc481a4
-
SHA512
52700a5fc9b93bc65a78d64c3ab50fcc0cdbd3c87a12679eb1fdf912ff1bdfa6a3a5942a4b1e58cecd928154383fc07831bb67ff6e35d753a279210f60c64633
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
77.220.64.37:443
80.86.91.27:3308
5.100.228.233:3389
46.105.131.65:1512
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1860 rundll32.exe 4 1860 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 760 wrote to memory of 1860 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1860 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1860 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1860 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1860 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1860 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1860 760 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\raw0rbp9s.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\raw0rbp9s.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:1860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1860-54-0x0000000000000000-mapping.dmp
-
memory/1860-55-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1860-56-0x0000000000120000-0x000000000015D000-memory.dmpFilesize
244KB
-
memory/1860-57-0x0000000000270000-0x00000000002AD000-memory.dmpFilesize
244KB
-
memory/1860-58-0x0000000000270000-0x00000000002AD000-memory.dmpFilesize
244KB