Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 06:07
Behavioral task
behavioral1
Sample
769784acd17b14c5f40c1e38be0ba02d.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
769784acd17b14c5f40c1e38be0ba02d.dll
-
Size
539KB
-
MD5
769784acd17b14c5f40c1e38be0ba02d
-
SHA1
c6f94ffc8720649e913e31b23c2f81dd9e1bb455
-
SHA256
c209236632e40ebb907a7d288bf879bf81542cbdc4b2046ae45280c305fdc980
-
SHA512
a571c37e8e4deb7f6bebd596ec89df7953032b49524217677639ff058ad26eb711c1e6b03380a359a2e19c2b2a7d69d13258a220f555b377ae33be77d410c978
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1900-1-0x0000000000350000-0x000000000038D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 1900 rundll32.exe 7 1900 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1704 wrote to memory of 1900 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1900 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1900 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1900 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1900 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1900 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1900 1704 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\769784acd17b14c5f40c1e38be0ba02d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\769784acd17b14c5f40c1e38be0ba02d.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled