Analysis
-
max time kernel
30s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 12:12
Static task
static1
General
-
Target
647dc37a153a595cb25a82860396a93d6a46d3946902050a0a809833d9941a7b.dll
-
Size
196KB
-
MD5
3bd0d6ac0accdc2b594fa935bba200c6
-
SHA1
15c8bc14fa698cb4caf4835068a0ef79d7207ccc
-
SHA256
647dc37a153a595cb25a82860396a93d6a46d3946902050a0a809833d9941a7b
-
SHA512
a113da9b244ea37a510b6fc7357f325716c77a810c61ef2666dbf1bd7f3d87e97dbfc7db0c1d2feb775231d8df089dcc9c02e59c40bfb8aae7ca5554dbf40a3f
Malware Config
Extracted
Family
dridex
Botnet
111
C2
37.247.35.132:443
50.243.30.51:6601
162.241.204.234:6516
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/412-115-0x0000000074440000-0x0000000074473000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 13 412 rundll32.exe 15 412 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 644 wrote to memory of 412 644 rundll32.exe rundll32.exe PID 644 wrote to memory of 412 644 rundll32.exe rundll32.exe PID 644 wrote to memory of 412 644 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\647dc37a153a595cb25a82860396a93d6a46d3946902050a0a809833d9941a7b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\647dc37a153a595cb25a82860396a93d6a46d3946902050a0a809833d9941a7b.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled