Analysis
-
max time kernel
136s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 13:34
Static task
static1
Behavioral task
behavioral1
Sample
j4r7zap.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
j4r7zap.dll
-
Size
539KB
-
MD5
19473a4823afb3ca1c966ffed1ee6003
-
SHA1
db853d8f738ee15172141315e96644bf6f265d6b
-
SHA256
7359fb03e09c8416c7a967f72df483a1b60066434c9e49e0deb4b18cb11e9192
-
SHA512
850fbc3ae33fa2d36fb4ecd7d06487be6dc1e382e7228faf1648b53e7c0d99ef9724b7578b1aaa42f97b53f2b60497737d14033e2deb09f38d838e7f2aa065cd
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1632-1-0x0000000000430000-0x000000000046D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1632 rundll32.exe 6 1632 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1068 wrote to memory of 1632 1068 rundll32.exe rundll32.exe PID 1068 wrote to memory of 1632 1068 rundll32.exe rundll32.exe PID 1068 wrote to memory of 1632 1068 rundll32.exe rundll32.exe PID 1068 wrote to memory of 1632 1068 rundll32.exe rundll32.exe PID 1068 wrote to memory of 1632 1068 rundll32.exe rundll32.exe PID 1068 wrote to memory of 1632 1068 rundll32.exe rundll32.exe PID 1068 wrote to memory of 1632 1068 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\j4r7zap.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\j4r7zap.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled