Analysis
-
max time kernel
47s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 05:08
Static task
static1
Behavioral task
behavioral1
Sample
dfbaq8x5.dll
Resource
win7-20220718-en
windows7-x64
5 signatures
150 seconds
General
-
Target
dfbaq8x5.dll
-
Size
525KB
-
MD5
eb477791471e3b4379f816cbf7bc7a56
-
SHA1
5ec761e52521bda659646ca1bb5cad605b3a98d3
-
SHA256
81a509915d240010326dae2581c7e584304c5a4f0f02d9ed4d9270e4193e83b1
-
SHA512
ed5d38339d0344b664e894fba4d0321b81f472556194f00287b684aa025bcaae210efbfecaa342e83a88d0729f8219950d45f4ebb9096f98f21142b025a6209c
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
169.255.216.36:443
138.201.138.91:3389
89.174.36.41:4643
87.106.89.36:3389
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1432 rundll32.exe 5 1432 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 876 wrote to memory of 1432 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1432 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1432 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1432 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1432 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1432 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1432 876 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfbaq8x5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfbaq8x5.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1432-54-0x0000000000000000-mapping.dmp
-
memory/1432-55-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB
-
memory/1432-57-0x0000000000320000-0x000000000035D000-memory.dmpFilesize
244KB
-
memory/1432-56-0x00000000001D0000-0x000000000020D000-memory.dmpFilesize
244KB
-
memory/1432-58-0x0000000000320000-0x000000000035D000-memory.dmpFilesize
244KB