Analysis
-
max time kernel
29s -
max time network
96s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-06-2021 22:31
Static task
static1
General
-
Target
2cbfa60a5dd07e82905309c94f58e30b16347bc3847e7b4c2295afca1b24f727.dll
-
Size
196KB
-
MD5
17fd5ed00ab174d9e9948b0754593ab4
-
SHA1
72dc65a76aba38e5fe5431642d90c3944a167c7a
-
SHA256
2cbfa60a5dd07e82905309c94f58e30b16347bc3847e7b4c2295afca1b24f727
-
SHA512
5d254ec63fa6204317974402e017b94e9150c8da938103009f5ca7e86cae336f95e8c750f41c660a62f2e1e2222f356b1e208897f4b4c49b48fe35bd8d5345ee
Malware Config
Extracted
Family
dridex
Botnet
111
C2
37.247.35.132:443
50.243.30.51:6601
162.241.204.234:6516
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/868-115-0x00000000735E0000-0x0000000073613000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 12 868 rundll32.exe 14 868 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 528 wrote to memory of 868 528 rundll32.exe rundll32.exe PID 528 wrote to memory of 868 528 rundll32.exe rundll32.exe PID 528 wrote to memory of 868 528 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbfa60a5dd07e82905309c94f58e30b16347bc3847e7b4c2295afca1b24f727.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbfa60a5dd07e82905309c94f58e30b16347bc3847e7b4c2295afca1b24f727.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled