Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:49
Static task
static1
General
-
Target
365afc31bb544c5f888b9b522f7168fac9b14f7ff1829f8a7ac36b38959dde42.dll
-
Size
196KB
-
MD5
7f1df66da5519c277f1bc1cfc1ece16f
-
SHA1
f0d1067b1e9dcf7536ee388e3eb94a532a370952
-
SHA256
365afc31bb544c5f888b9b522f7168fac9b14f7ff1829f8a7ac36b38959dde42
-
SHA512
97ba18d370de5c969c350e5284f3ff22f52a47c94beb774b1f813a405b6573d414f78d416a010299918122a26508ef53e14c4e7b29a101f9529c353aa68ee123
Malware Config
Extracted
Family
dridex
Botnet
111
C2
37.247.35.132:443
50.243.30.51:6601
162.241.204.234:6516
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3964-115-0x0000000073850000-0x0000000073883000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 14 3964 rundll32.exe 16 3964 rundll32.exe 17 3964 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3944 wrote to memory of 3964 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 3964 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 3964 3944 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\365afc31bb544c5f888b9b522f7168fac9b14f7ff1829f8a7ac36b38959dde42.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\365afc31bb544c5f888b9b522f7168fac9b14f7ff1829f8a7ac36b38959dde42.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled