Analysis
-
max time kernel
121s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 14:51
Behavioral task
behavioral1
Sample
11e755c9d1a5ea74dfc765a2f44eb7c3bbc2d735fcf2489882ede6aeb0816493.bin.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
11e755c9d1a5ea74dfc765a2f44eb7c3bbc2d735fcf2489882ede6aeb0816493.bin.dll
-
Size
235KB
-
MD5
180230a6ffbbf57a370da06c41b26cf1
-
SHA1
2f25b00b16544615b766e5efd10555797177f29a
-
SHA256
11e755c9d1a5ea74dfc765a2f44eb7c3bbc2d735fcf2489882ede6aeb0816493
-
SHA512
ac20e09c66c9ee9b72543b17c35891c99a0ec210cf90fda93d451846f46747c309d96188b55588333f3e3a395292b1a9d0bd93f91b7b47fba7a61a49e0050427
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1896-1-0x0000000074DE0000-0x0000000074E1D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 1896 rundll32.exe 7 1896 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 240 wrote to memory of 1896 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 1896 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 1896 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 1896 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 1896 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 1896 240 rundll32.exe rundll32.exe PID 240 wrote to memory of 1896 240 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11e755c9d1a5ea74dfc765a2f44eb7c3bbc2d735fcf2489882ede6aeb0816493.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11e755c9d1a5ea74dfc765a2f44eb7c3bbc2d735fcf2489882ede6aeb0816493.bin.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled