Analysis
-
max time kernel
7s -
max time network
64s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-01-2021 12:21
Behavioral task
behavioral1
Sample
b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9.dll
-
Size
165KB
-
MD5
eb2a6b15ae783a06f63b258e6b1b5dea
-
SHA1
c6a15516ba0a987a71032522bbbb345d379001ac
-
SHA256
b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9
-
SHA512
b54bdada86e7995ef6d1ce9b22ef5488254774a32b057f28a4672c884b4abf7e87a6957c67790f1f0b6f7230f9e94c4663c02f28d478236f611516868773cc1d
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
199.66.90.63:443
85.214.26.7:3389
51.68.224.245:4646
107.175.87.150:3889
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1072-3-0x0000000074330000-0x000000007435C000-memory.dmp dridex_ldr -
Processes:
resource yara_rule behavioral1/memory/1072-3-0x0000000074330000-0x000000007435C000-memory.dmp dridex_ldr_dmod -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1676 wrote to memory of 1072 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 1072 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 1072 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 1072 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 1072 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 1072 1676 regsvr32.exe regsvr32.exe PID 1676 wrote to memory of 1072 1676 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\b6ab3011a740ead047ff5bdb242fff77cbc3c5cbee2757c1ab8f830ceaef24c9.dll2⤵