Analysis
-
max time kernel
87s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-06-2022 17:03
Static task
static1
Behavioral task
behavioral1
Sample
th769kg7.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
th769kg7.dll
-
Size
785KB
-
MD5
24499a2accccfce4f2fa27621c832167
-
SHA1
85e91e7ff19d5438e84422b367acbc32a6ffad4b
-
SHA256
6f7620033e5a6b1283b801c2c97d2bd5dcacb72a2b1ba709b6a763394c6a6aca
-
SHA512
9d0564d490c9b74d39c11620719315ed51589bfe48e366a8ea9c63d5eb6dc3f5320649f6a636bb7beb27a1fdd527ded5a39eeebb54ae28f816dbf74b3a03e0ad
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
209.20.87.138:443
198.1.115.153:8172
151.236.29.248:6516
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1664 rundll32.exe 5 1664 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1824 wrote to memory of 1664 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1664 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1664 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1664 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1664 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1664 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1664 1824 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\th769kg7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\th769kg7.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:1664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-54-0x0000000000000000-mapping.dmp
-
memory/1664-55-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1664-57-0x00000000751F0000-0x000000007530B000-memory.dmpFilesize
1.1MB
-
memory/1664-56-0x00000000751F0000-0x000000007522D000-memory.dmpFilesize
244KB
-
memory/1664-59-0x00000000751F0000-0x000000007530B000-memory.dmpFilesize
1.1MB
-
memory/1664-60-0x00000000751F0000-0x000000007530B000-memory.dmpFilesize
1.1MB