Analysis
-
max time kernel
14s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 06:07
Behavioral task
behavioral1
Sample
769784acd17b14c5f40c1e38be0ba02d.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
769784acd17b14c5f40c1e38be0ba02d.dll
-
Size
539KB
-
MD5
769784acd17b14c5f40c1e38be0ba02d
-
SHA1
c6f94ffc8720649e913e31b23c2f81dd9e1bb455
-
SHA256
c209236632e40ebb907a7d288bf879bf81542cbdc4b2046ae45280c305fdc980
-
SHA512
a571c37e8e4deb7f6bebd596ec89df7953032b49524217677639ff058ad26eb711c1e6b03380a359a2e19c2b2a7d69d13258a220f555b377ae33be77d410c978
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1484-1-0x0000000004740000-0x000000000477D000-memory.dmp dridex_ldr -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3372 wrote to memory of 1484 3372 rundll32.exe rundll32.exe PID 3372 wrote to memory of 1484 3372 rundll32.exe rundll32.exe PID 3372 wrote to memory of 1484 3372 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\769784acd17b14c5f40c1e38be0ba02d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\769784acd17b14c5f40c1e38be0ba02d.dll,#12⤵