Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
gf290z.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
gf290z.dll
-
Size
576KB
-
MD5
aeabbdc83f57481c63df70f597217c0b
-
SHA1
26f3e86893f2c4e37a92594b491f3eade0eb8c60
-
SHA256
1d6073d929d31040ab0247a69ec88252ccf3d3b7ddedc15986a80cb9a0f18c15
-
SHA512
7b98313ee9cf362d5c28b169863fe829dab306affdeb93a09d6f2270dede6fc731f28e4e549188460bf0444145b7cdff1224124bc941008587b44a52b4dabe54
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
77.220.64.131:443
5.196.204.251:5037
192.99.41.136:981
24.229.3.146:4664
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 14 2032 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4776 wrote to memory of 2032 4776 rundll32.exe rundll32.exe PID 4776 wrote to memory of 2032 4776 rundll32.exe rundll32.exe PID 4776 wrote to memory of 2032 4776 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gf290z.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gf290z.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:2032