Analysis
-
max time kernel
119s -
max time network
119s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
84e3dfa5e65fcd9f9aa29b79a0ad4924.dll
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
84e3dfa5e65fcd9f9aa29b79a0ad4924.dll
-
Size
750KB
-
MD5
84e3dfa5e65fcd9f9aa29b79a0ad4924
-
SHA1
55cef822fb414878fce96b74328e7f6e214cb3f1
-
SHA256
c721d124999fe9388e49688994b3316a0b7c4735f96012a5efa20e1aabf87188
-
SHA512
b75894a067c495cdeb4b97e78f1d1b19566c7489bf1cf44117ccfe8ad97db363e4e79061118c231289cb523eef3eda6ea88a4aebcf0be239e101c2cdaddd7df1
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 576 rundll32.exe 6 576 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 740 wrote to memory of 576 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 576 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 576 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 576 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 576 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 576 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 576 740 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84e3dfa5e65fcd9f9aa29b79a0ad4924.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84e3dfa5e65fcd9f9aa29b79a0ad4924.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:576