Analysis
-
max time kernel
58s -
max time network
115s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 12:52
Static task
static1
Behavioral task
behavioral1
Sample
bvht1xpdf.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
bvht1xpdf.dll
-
Size
1.2MB
-
MD5
9a821fc91c5053a2b52dbb0c16f89dc0
-
SHA1
d10adfc10ab68859e02d21a551d1f4ea6f0ff5c9
-
SHA256
d4621f06232d8942fbe8ec42a295028d89f277633354d900071f53179684f227
-
SHA512
db8ee3ac8168a7d83e93af78f81af97cdce9cfa52e6d4d1bf7027ee46ecf6e40e91982be4332167fd23d15ea937fe6b2c5c1c51e4d74c04e159c422b110219e3
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
94.126.8.2:443
37.187.161.206:33443
209.59.199.129:4443
157.245.130.146:3786
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1840-1-0x0000000074420000-0x000000007445D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 1840 rundll32.exe 7 1840 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 364 wrote to memory of 1840 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1840 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1840 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1840 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1840 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1840 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1840 364 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bvht1xpdf.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bvht1xpdf.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled