Analysis
-
max time kernel
4294184s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
19-03-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064.dll
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
General
-
Target
0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064.dll
-
Size
538KB
-
MD5
d76d0aae2bc54602ebfce443aa4f06a3
-
SHA1
425b105cbe970b3d38212ebf06b233f61de7fdb9
-
SHA256
0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064
-
SHA512
262637fab6707b1d5d20aef6b51e172eb9b80a04ee5617a7aa556dd744f3f373b05af9b0d5729f9ed8e13eb019986cf75178741a70027c23bd62ced7a83fd4ef
Malware Config
Extracted
Family
dridex
Botnet
10555
C2
169.255.216.36:443
138.201.138.91:3389
89.174.36.41:4643
87.106.89.36:3389
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1828 rundll32.exe 5 1828 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1980 wrote to memory of 1828 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1828 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1828 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1828 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1828 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1828 1980 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1828 1980 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2404288ec2d5a8fd318b6169644b686d6a61e23f9952884b255e6d0845c064.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled