Analysis
-
max time kernel
103s -
max time network
106s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 17:56
Static task
static1
General
-
Target
330983e21c3fec152bf33d35bff06b65d04f0cef36c95699e1826d706514ffd1.dll
-
Size
162KB
-
MD5
32dc78fec20937eca32814c002136a78
-
SHA1
f22c14bddd3ef179de82c3d7c2cef193c43ea31a
-
SHA256
330983e21c3fec152bf33d35bff06b65d04f0cef36c95699e1826d706514ffd1
-
SHA512
04886e3ef87efbcf92e412e9be58ed33a36ff3958712b8138ddbdeb8c72fea985edff9b23f416236997098cfaf819909228d9d3a3b478db60bdc9ec5377bc76e
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2440-115-0x0000000073990000-0x00000000739BE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1456 wrote to memory of 2440 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 2440 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 2440 1456 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\330983e21c3fec152bf33d35bff06b65d04f0cef36c95699e1826d706514ffd1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\330983e21c3fec152bf33d35bff06b65d04f0cef36c95699e1826d706514ffd1.dll,#12⤵
- Checks whether UAC is enabled