Analysis
-
max time kernel
26s -
max time network
76s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 21:25
Static task
static1
General
-
Target
b5aa689ba76f8aa51cd4c8d0d676fdb6fe42bcb6e9fc938dc23dfe0d64f61d33.dll
-
Size
162KB
-
MD5
1e163ec385d52c9f17dbc6e0a9526fd7
-
SHA1
a399ba0d27776a7429dc6e9530acf5e22a3bfc6d
-
SHA256
b5aa689ba76f8aa51cd4c8d0d676fdb6fe42bcb6e9fc938dc23dfe0d64f61d33
-
SHA512
b14cfcc07071fec3af77853589bede533ccf7b4e42d84a998940d33203076c4e54ce42e54df3d89c4b9b428828e315d811db1901fa83747c6481a8f42bf9f86e
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3276-115-0x0000000073990000-0x00000000739BE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3260 wrote to memory of 3276 3260 rundll32.exe rundll32.exe PID 3260 wrote to memory of 3276 3260 rundll32.exe rundll32.exe PID 3260 wrote to memory of 3276 3260 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5aa689ba76f8aa51cd4c8d0d676fdb6fe42bcb6e9fc938dc23dfe0d64f61d33.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5aa689ba76f8aa51cd4c8d0d676fdb6fe42bcb6e9fc938dc23dfe0d64f61d33.dll,#12⤵
- Checks whether UAC is enabled