Analysis
-
max time kernel
70s -
max time network
69s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-11-2020 16:26
Behavioral task
behavioral1
Sample
t6yswb.pdf.pellet.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
t6yswb.pdf.pellet.dll
-
Size
590KB
-
MD5
770df303f86ac191c177035c214589ee
-
SHA1
6cb4229559c3bcc16d33a92f81fef25b1840d750
-
SHA256
ffcd3f21e103ef18413700ee91a9737900ea88fcae1607cffbf4d7f587039504
-
SHA512
e23ccdc09dd516cad89f8a2c0f11fa23e64e1b1fcff63f4e56338d24b35ab33a972e99898b80c6ade51382443a3993c9254ebd349167380a0fc2e97687c4bcd9
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1644-3-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1644 rundll32.exe 6 1644 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1580 wrote to memory of 1644 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1644 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1644 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1644 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1644 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1644 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1644 1580 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\t6yswb.pdf.pellet.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\t6yswb.pdf.pellet.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled