Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 18:05
Static task
static1
Behavioral task
behavioral1
Sample
ef5ai1p.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
ef5ai1p.dll
-
Size
539KB
-
MD5
1ba0b20a2d03d8af03a7faa42b06417f
-
SHA1
4c528bb2afd93d8cb1199d05dc33d77e08f0ee88
-
SHA256
f5951b345050e10fa0d3b70b42e6b56d5a720a7a67c381345e33c145e2ba2452
-
SHA512
5447e2424e0beeace8c1d3de285fcd841b184e9ed1b3035334fd3005399aa0947b5688a22754b9114ff3f9444906481a519477fbd9cfdb17f23136ad14f6eef3
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/840-1-0x0000000000360000-0x000000000039D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 840 rundll32.exe 7 840 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1980 wrote to memory of 840 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 840 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 840 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 840 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 840 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 840 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 840 1980 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef5ai1p.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef5ai1p.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled