Analysis
-
max time kernel
132s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
ptytmbdu.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
ptytmbdu.dll
-
Size
466KB
-
MD5
b0be7de75e36cc4322c757184cc6f3c8
-
SHA1
09ff86f5dbaab94cef3278cc4801463ebe9cef01
-
SHA256
fcd9abcb235ec7aea9a425394952653a57b44ba9233e934289d2b6892fac82b2
-
SHA512
b3ef6e0097399eff439bcda580c7ad08126dae194cbe5858d99aac1ccf91d56fcf7c2a9faa8246fbd8e06a47692be15ddb358f4f5f4e824ad97d20b5129c2586
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
38.88.126.131:443
145.239.169.32:8443
163.172.7.152:443
45.79.135.98:691
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1644-1-0x0000000073880000-0x00000000738AB000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 13 1644 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1344 wrote to memory of 1644 1344 rundll32.exe rundll32.exe PID 1344 wrote to memory of 1644 1344 rundll32.exe rundll32.exe PID 1344 wrote to memory of 1644 1344 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ptytmbdu.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ptytmbdu.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled