Analysis
-
max time kernel
9s -
max time network
66s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 12:37
Behavioral task
behavioral1
Sample
cm5xssc78.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
cm5xssc78.dll
-
Size
539KB
-
MD5
cf9c14ef002b286cc5b6f40e24430857
-
SHA1
8ab38ccaf47cdfaf5bd48b05d7c094f28aa17b0d
-
SHA256
f4e65ecea469214769a863058823613437eb066a0baf40b5f9342958fce1e7a7
-
SHA512
1c3f18cf81ddc5fc7729e184e9021202bc395b11fc3273be25961de7713307a9d5eeb62c2870481410bafa0d68972050dd659882b2fc610dd465e4151d8b207a
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1960-1-0x00000000009B0000-0x00000000009ED000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1960 rundll32.exe 6 1960 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1664 wrote to memory of 1960 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1960 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1960 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1960 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1960 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1960 1664 rundll32.exe rundll32.exe PID 1664 wrote to memory of 1960 1664 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cm5xssc78.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cm5xssc78.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled