Analysis
-
max time kernel
121s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-03-2022 12:08
Behavioral task
behavioral1
Sample
451f265255305c331d282dc670f7bc1c18730e852ac7d605385421fd83bf7e34.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
451f265255305c331d282dc670f7bc1c18730e852ac7d605385421fd83bf7e34.dll
-
Size
356KB
-
MD5
127de5b6f2a523f581a98df0f70cf606
-
SHA1
eb8c766d2975598a8743467390294cb54088c0d9
-
SHA256
451f265255305c331d282dc670f7bc1c18730e852ac7d605385421fd83bf7e34
-
SHA512
7fd1b600435fe3349e0a4359595a84d8eac527708cae452628598a84726a26b5bc6300e9deaa24f76e8fff8a5c1af042886b7a1b665fb6d8e8f728ed17eabab8
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
175.126.167.148:443
173.249.20.233:8043
162.241.204.233:4443
138.122.143.40:8043
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 1660 rundll32.exe 6 1660 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1316 wrote to memory of 1660 1316 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1660 1316 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1660 1316 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1660 1316 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1660 1316 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1660 1316 rundll32.exe rundll32.exe PID 1316 wrote to memory of 1660 1316 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\451f265255305c331d282dc670f7bc1c18730e852ac7d605385421fd83bf7e34.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\451f265255305c331d282dc670f7bc1c18730e852ac7d605385421fd83bf7e34.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled