Analysis
-
max time kernel
77s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-11-2020 18:16
Static task
static1
Behavioral task
behavioral1
Sample
bfe2mddol.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
bfe2mddol.dll
-
Size
752KB
-
MD5
fd3da0ce820ee753901011f520ecd2b1
-
SHA1
31c739f637c7588cd430c60566c2aea402f70a45
-
SHA256
1f4d7b9217afd5254350c56788693bee5ecaa46b7f7c07354045826910dacb3c
-
SHA512
267124d68055413495344847f8c068e9f90635407a17370f93ec1afae7b6a65c3f987e5acc84838b4a8b79c62c281341bd466027f377bc25e7cb52c6ded0a354
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
195.154.237.245:443
46.105.131.73:8172
91.238.160.158:18443
213.183.128.99:3786
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1604-1-0x00000000007B0000-0x00000000007ED000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1604 rundll32.exe 6 1604 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1668 wrote to memory of 1604 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 1604 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 1604 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 1604 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 1604 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 1604 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 1604 1668 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bfe2mddol.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bfe2mddol.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled