Analysis
-
max time kernel
85s -
max time network
108s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-04-2021 00:20
Static task
static1
General
-
Target
5acae68666a1342099c1061e2451d3da99218088c98a4eb8532b14130db96263.dll
-
Size
162KB
-
MD5
68834cc5fe8e7bae296b204134786146
-
SHA1
208af3d6be4314087f1c9ecc3776849eecc6e716
-
SHA256
5acae68666a1342099c1061e2451d3da99218088c98a4eb8532b14130db96263
-
SHA512
3863f2b8f3adfe8e2cd342b32f191ad89ec590845ab6c3f79440e9c6e8c380afc009b66c1860568ad2e32abe4ca76c693849e492fb0410eedc669f50969788c2
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1716-115-0x0000000073990000-0x00000000739BE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1456 wrote to memory of 1716 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1716 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1716 1456 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5acae68666a1342099c1061e2451d3da99218088c98a4eb8532b14130db96263.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5acae68666a1342099c1061e2451d3da99218088c98a4eb8532b14130db96263.dll,#12⤵
- Checks whether UAC is enabled