Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 23:20
Static task
static1
Behavioral task
behavioral1
Sample
s.bin.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
s.bin.dll
-
Size
540KB
-
MD5
bf44f8eef8654d6b2ce11c302351e02a
-
SHA1
a6fd4a421ca6041f91cb7ce63a6c33f2a1fde0c1
-
SHA256
581a2419d8e96d3367e5ead5f7de2c743133db0e69e6f3721d4a99c9ebafda36
-
SHA512
83d6cd60373366d501130b0c23db0c74fde4f7151d8a89a9e2987321f784b72c71517c1aaa24f7a8cf11cd9a3e8028b7771d27795b1f7f80778ecb66316b8678
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2024-1-0x00000000002C0000-0x00000000002FD000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 2024 rundll32.exe 7 2024 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1080 wrote to memory of 2024 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 2024 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 2024 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 2024 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 2024 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 2024 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 2024 1080 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\s.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\s.bin.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled