Analysis
-
max time kernel
62s -
max time network
70s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-11-2020 16:18
Static task
static1
Behavioral task
behavioral1
Sample
aejmelvv.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
aejmelvv.dll
-
Size
520KB
-
MD5
a19e9a48a5adb409f2eed82694231a7a
-
SHA1
ff50e4396399178914c64653f33617a7c4f6df61
-
SHA256
fd6f6c377f403f5faccf5c4bb03a0d5af94f7f57ac13572a42b187cdbda027cc
-
SHA512
763bb2799be8a6698362ccf928f552d4faaaf086550e640aeebd7522b304c58f7dc9d68898fe53a8a1bd4db3cfac310019d9bcc2794d0f0c1fadd0abea90841f
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
77.220.64.53:443
172.96.190.154:4664
209.126.111.137:33443
167.99.158.82:33443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4748-1-0x0000000010000000-0x000000001003D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 12 4748 rundll32.exe 14 4748 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4684 wrote to memory of 4748 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 4748 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 4748 4684 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aejmelvv.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aejmelvv.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled