Analysis
-
max time kernel
19s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 07:27
Static task
static1
Behavioral task
behavioral1
Sample
e5a1785a5b06c596107a75eb1e51454b.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
e5a1785a5b06c596107a75eb1e51454b.dll
-
Size
638KB
-
MD5
e5a1785a5b06c596107a75eb1e51454b
-
SHA1
3e44a3cb67613f11aae1f9189cbd9ea100d3a1f2
-
SHA256
905960957f03c7a56deaee448ac8fff59f7aad97619ee5a98eb220b9cebee849
-
SHA512
b046c5a02446652df5271b97b3785ba6d5e593cc639388f3c22e4c3ef9ecf2fab3fc08c761e9c167e8840aa12fcdfa9a978d9409e165890306a64d987e7c373f
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
193.37.215.79:443
81.2.235.131:1688
178.63.156.139:3388
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1000-1-0x0000000000D30000-0x0000000000D6D000-memory.dmp dridex_ldr -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1924 wrote to memory of 1000 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 1000 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 1000 1924 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5a1785a5b06c596107a75eb1e51454b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5a1785a5b06c596107a75eb1e51454b.dll,#12⤵PID:1000