Analysis
-
max time kernel
29s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-06-2021 00:34
Static task
static1
General
-
Target
8d047211eb103a73913ed77b9f09e06521968cd57ea3c4d8f2c4fbbac193dd68.dll
-
Size
196KB
-
MD5
fb66a7b0322701d1c84ab5254a424779
-
SHA1
87601760c9f7cd6604905411488a8be0b16513f8
-
SHA256
8d047211eb103a73913ed77b9f09e06521968cd57ea3c4d8f2c4fbbac193dd68
-
SHA512
a211648ebb72cfda29e1813c814c777024cf3f55370e8878700f1ac52a2e4d66d59953d13051214e287e6d5b1ddcd7ff43bf0a51b66bf310a1ee0441211c3fb4
Malware Config
Extracted
Family
dridex
Botnet
111
C2
37.247.35.132:443
50.243.30.51:6601
162.241.204.234:6516
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1808-115-0x0000000073C60000-0x0000000073C93000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 15 1808 rundll32.exe 17 1808 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 416 wrote to memory of 1808 416 rundll32.exe rundll32.exe PID 416 wrote to memory of 1808 416 rundll32.exe rundll32.exe PID 416 wrote to memory of 1808 416 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d047211eb103a73913ed77b9f09e06521968cd57ea3c4d8f2c4fbbac193dd68.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d047211eb103a73913ed77b9f09e06521968cd57ea3c4d8f2c4fbbac193dd68.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled