Analysis
-
max time kernel
47s -
max time network
105s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 14:25
Static task
static1
Behavioral task
behavioral1
Sample
zyhcht.rar.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
zyhcht.rar.dll
-
Size
1.2MB
-
MD5
9a821fc91c5053a2b52dbb0c16f89dc0
-
SHA1
d10adfc10ab68859e02d21a551d1f4ea6f0ff5c9
-
SHA256
d4621f06232d8942fbe8ec42a295028d89f277633354d900071f53179684f227
-
SHA512
db8ee3ac8168a7d83e93af78f81af97cdce9cfa52e6d4d1bf7027ee46ecf6e40e91982be4332167fd23d15ea937fe6b2c5c1c51e4d74c04e159c422b110219e3
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
94.126.8.2:443
37.187.161.206:33443
209.59.199.129:4443
157.245.130.146:3786
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1216-1-0x0000000073C90000-0x0000000073CCD000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 15 1216 rundll32.exe 17 1216 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 8 wrote to memory of 1216 8 rundll32.exe rundll32.exe PID 8 wrote to memory of 1216 8 rundll32.exe rundll32.exe PID 8 wrote to memory of 1216 8 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zyhcht.rar.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zyhcht.rar.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled