Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    26-06-2022 05:34

General

  • Target

    gf290z.dll

  • Size

    576KB

  • MD5

    aeabbdc83f57481c63df70f597217c0b

  • SHA1

    26f3e86893f2c4e37a92594b491f3eade0eb8c60

  • SHA256

    1d6073d929d31040ab0247a69ec88252ccf3d3b7ddedc15986a80cb9a0f18c15

  • SHA512

    7b98313ee9cf362d5c28b169863fe829dab306affdeb93a09d6f2270dede6fc731f28e4e549188460bf0444145b7cdff1224124bc941008587b44a52b4dabe54

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

77.220.64.131:443

5.196.204.251:5037

192.99.41.136:981

24.229.3.146:4664

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Blocklisted process makes network request 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\gf290z.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\gf290z.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Checks whether UAC is enabled
      PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2032-130-0x0000000000000000-mapping.dmp

  • memory/2032-132-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

  • memory/2032-131-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB