Analysis
-
max time kernel
7s -
max time network
63s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 12:10
Behavioral task
behavioral1
Sample
ugm5wtx2gif.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
ugm5wtx2gif.dll
-
Size
539KB
-
MD5
6972a8146a738570e6443ba8b75af1bb
-
SHA1
480043a771ac2bdde19b0177a0f7ce5db428e8c7
-
SHA256
ae9628344dfef9e22d8bb19fd5001329640ec5573c5503e3ae99788ef7b58f1c
-
SHA512
4120227d0fd105d3e7a28a39f151036121ce84ed78cd7a846f133c7ea4e47fc58cf0f102d1e6ba1dc97fcff318597e3d77548822384c4c2603680dacac809f35
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2016-1-0x0000000000200000-0x000000000023D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 2016 rundll32.exe 6 2016 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1732 wrote to memory of 2016 1732 rundll32.exe rundll32.exe PID 1732 wrote to memory of 2016 1732 rundll32.exe rundll32.exe PID 1732 wrote to memory of 2016 1732 rundll32.exe rundll32.exe PID 1732 wrote to memory of 2016 1732 rundll32.exe rundll32.exe PID 1732 wrote to memory of 2016 1732 rundll32.exe rundll32.exe PID 1732 wrote to memory of 2016 1732 rundll32.exe rundll32.exe PID 1732 wrote to memory of 2016 1732 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ugm5wtx2gif.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ugm5wtx2gif.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled