Analysis
-
max time kernel
49s -
max time network
57s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 14:15
Static task
static1
General
-
Target
ed9c28e79fd27799670018b83a884fdce20ec7b28bfbd88900fccd8fc9356004.dll
-
Size
161KB
-
MD5
bea0c23c048da8692a31c85bb80a68e6
-
SHA1
e41235530c73dda45e56e1762ed841ecbd513853
-
SHA256
ed9c28e79fd27799670018b83a884fdce20ec7b28bfbd88900fccd8fc9356004
-
SHA512
3f41ec7167bc650c6e57f76948e1da40e8f889ece8743e7845c9d629946455a45b330f2096637a53e2f4f5c2a6e236b6de64852ef7ab594d84e95b7d512b8075
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1036-115-0x0000000074440000-0x000000007446E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 808 wrote to memory of 1036 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1036 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1036 808 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed9c28e79fd27799670018b83a884fdce20ec7b28bfbd88900fccd8fc9356004.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed9c28e79fd27799670018b83a884fdce20ec7b28bfbd88900fccd8fc9356004.dll,#12⤵
- Checks whether UAC is enabled