Analysis
-
max time kernel
39s -
max time network
46s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 23:21
Static task
static1
General
-
Target
9e84e737e61102145b2dcb56555b64feb6b1920a2bec63f993cd9267c65eebf7.dll
-
Size
160KB
-
MD5
e4efb576694fdf508f930220e66ed930
-
SHA1
dee42779d1bc1d347ab1c9bdef64ce46d79ca0df
-
SHA256
9e84e737e61102145b2dcb56555b64feb6b1920a2bec63f993cd9267c65eebf7
-
SHA512
6da9c8633eebc1008887fa6256e14b86d428e4df295eb5cf5423aba35ce3182571d7945f486003d7cfbace24f86aa0972231cc2d10813c67a7876e8428d56b89
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1132-115-0x0000000074160000-0x000000007418E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 908 wrote to memory of 1132 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1132 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1132 908 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e84e737e61102145b2dcb56555b64feb6b1920a2bec63f993cd9267c65eebf7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e84e737e61102145b2dcb56555b64feb6b1920a2bec63f993cd9267c65eebf7.dll,#12⤵
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1132-114-0x0000000000000000-mapping.dmp
-
memory/1132-115-0x0000000074160000-0x000000007418E000-memory.dmpFilesize
184KB
-
memory/1132-117-0x0000000000CA0000-0x0000000000CA6000-memory.dmpFilesize
24KB
-
memory/1132-119-0x0000000003000000-0x0000000003001000-memory.dmpFilesize
4KB