Analysis
-
max time kernel
49s -
max time network
60s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 22:58
Static task
static1
General
-
Target
6fdb260934f43d3f40feb85f3155b092972d2368b6a9b96dde0d7d57f1db4c0a.dll
-
Size
162KB
-
MD5
21181858f1e542ffc88fdebde018d9f9
-
SHA1
1dc72a46cf50232449794d17f4320bb1bb5b5d85
-
SHA256
6fdb260934f43d3f40feb85f3155b092972d2368b6a9b96dde0d7d57f1db4c0a
-
SHA512
20c53e592c81cf33d489e060db254dc5397d939c315893a26424bdc845803c805744cb685ea2733706fb2d64d136fba2d89cdbc150a68f7e1fac148291367256
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1336-115-0x0000000074430000-0x000000007445E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 808 wrote to memory of 1336 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1336 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1336 808 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fdb260934f43d3f40feb85f3155b092972d2368b6a9b96dde0d7d57f1db4c0a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fdb260934f43d3f40feb85f3155b092972d2368b6a9b96dde0d7d57f1db4c0a.dll,#12⤵
- Checks whether UAC is enabled