Analysis
-
max time kernel
98s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 17:12
Static task
static1
Behavioral task
behavioral1
Sample
06a3cf6065d432941b68e7e429c9eb8c05f66ae4388d60112c97c6b6ddd3667d.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
06a3cf6065d432941b68e7e429c9eb8c05f66ae4388d60112c97c6b6ddd3667d.dll
-
Size
162KB
-
MD5
a2e2b193d49df615ed0275d2fd596929
-
SHA1
f90b9057182c1ded459f83b3f6563422acb95931
-
SHA256
06a3cf6065d432941b68e7e429c9eb8c05f66ae4388d60112c97c6b6ddd3667d
-
SHA512
d50e36b6659c56758edc593a87a03b92ecdb3853393d2f905a786912a7b8be417c9b6e77e721f7e2d41c6c8ac16218d5e9833ac00a270319afbc1a5c5f4d7a07
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4076-115-0x00000000755E0000-0x000000007560E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4048 wrote to memory of 4076 4048 rundll32.exe rundll32.exe PID 4048 wrote to memory of 4076 4048 rundll32.exe rundll32.exe PID 4048 wrote to memory of 4076 4048 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06a3cf6065d432941b68e7e429c9eb8c05f66ae4388d60112c97c6b6ddd3667d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06a3cf6065d432941b68e7e429c9eb8c05f66ae4388d60112c97c6b6ddd3667d.dll,#12⤵
- Checks whether UAC is enabled
PID:4076