Analysis
-
max time kernel
39s -
max time network
47s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 22:03
Static task
static1
General
-
Target
280bd5efc449fa5037d1492019af9f27b61391d50c6867f6e98e1a9b46871b3e.dll
-
Size
162KB
-
MD5
6ed6eb825df53d6be7b8eae6a3f96e41
-
SHA1
04b6c8ffb584f6f0d79ea1ac3a351897951e2dd1
-
SHA256
280bd5efc449fa5037d1492019af9f27b61391d50c6867f6e98e1a9b46871b3e
-
SHA512
690282aba85a26df24c0cc81d9da125abe0263b8aaa46f0b02901c0841f6b10451e17f90f939320c4589dbe14e66e7c9e93b4c9827361a7b066ade8caae5213c
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3600-115-0x0000000073B70000-0x0000000073B9E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2112 wrote to memory of 3600 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 3600 2112 rundll32.exe rundll32.exe PID 2112 wrote to memory of 3600 2112 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\280bd5efc449fa5037d1492019af9f27b61391d50c6867f6e98e1a9b46871b3e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\280bd5efc449fa5037d1492019af9f27b61391d50c6867f6e98e1a9b46871b3e.dll,#12⤵
- Checks whether UAC is enabled