Resubmissions
23-11-2020 08:20
201123-8781tq461a 10Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-11-2020 08:20
Static task
static1
Behavioral task
behavioral1
Sample
ojh69yt.zip.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
ojh69yt.zip.dll
-
Size
539KB
-
MD5
3dd08a111c25ec4fd73599b389f628b0
-
SHA1
3e5b5c0f3437af1c5c559d94da64d6e0d36dc56f
-
SHA256
aa1b00f53b9ee1ee1edeaeab7b7d272d1c8e84cd3140b32e9a15a89f90a7166a
-
SHA512
a4e01216ff2a304141c690cecebecdd2f20032ccda8f78e26aef392194a7fd1790754c9f1f38e61738d48b6f1c0468c5372cfa44161d4b959608e7c95a58d862
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1988-1-0x0000000000510000-0x000000000054D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1988 rundll32.exe 6 1988 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 752 wrote to memory of 1988 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 1988 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 1988 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 1988 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 1988 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 1988 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 1988 752 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ojh69yt.zip.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ojh69yt.zip.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled