Analysis
-
max time kernel
48s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 06:00
Static task
static1
Behavioral task
behavioral1
Sample
se12y5vm.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
se12y5vm.dll
-
Size
311KB
-
MD5
7750ba949e4b090260827a4d8be63efc
-
SHA1
ee0e268bfa0e49591dcf77f32d7da94515d03c82
-
SHA256
8521e047f78ccf64777d40e44fb86a95f900e0ed594bb4f01cc6802ff412c536
-
SHA512
464c3ac243bb8b3bad6419d10d5c9112dbb658e13256b722325bb42bcb11c464192683cb814568ecb431bf28aa3b58cbd7061f8c273b5ee3ac700948876eb315
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
77.220.64.37:443
80.86.91.27:3308
5.100.228.233:3389
46.105.131.65:1512
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1680 rundll32.exe 5 1680 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1792 wrote to memory of 1680 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 1680 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 1680 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 1680 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 1680 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 1680 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 1680 1792 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\se12y5vm.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\se12y5vm.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:1680
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1680-54-0x0000000000000000-mapping.dmp
-
memory/1680-55-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1680-56-0x0000000000360000-0x000000000039D000-memory.dmpFilesize
244KB
-
memory/1680-57-0x0000000000460000-0x000000000049D000-memory.dmpFilesize
244KB