Analysis
-
max time kernel
40s -
max time network
48s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 21:39
Static task
static1
General
-
Target
eaca8449ab5b64e9758e73b632a7d7cec5404a229695d18d5214a1bce6d09618.dll
-
Size
162KB
-
MD5
db232929f516847e454011d278721e02
-
SHA1
34e31fc053beba96a35161c783f0224af66f71ef
-
SHA256
eaca8449ab5b64e9758e73b632a7d7cec5404a229695d18d5214a1bce6d09618
-
SHA512
02ba11682643d773489b8970825ed28c3898b8800745d3aa31df010bc5df36a7af094f81d272feeb58998657ba6a02ecf02a62a3725a17f3e97fe3fdb54a967f
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3964-115-0x0000000073860000-0x000000007388E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2208 wrote to memory of 3964 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 3964 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 3964 2208 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eaca8449ab5b64e9758e73b632a7d7cec5404a229695d18d5214a1bce6d09618.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eaca8449ab5b64e9758e73b632a7d7cec5404a229695d18d5214a1bce6d09618.dll,#12⤵
- Checks whether UAC is enabled