Analysis
-
max time kernel
28s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 13:37
Static task
static1
Behavioral task
behavioral1
Sample
edf4dc19e4d3df063b1e0fe90b338aee7966d000392bb906a53006acb174900e.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
edf4dc19e4d3df063b1e0fe90b338aee7966d000392bb906a53006acb174900e.dll
-
Size
162KB
-
MD5
a7640ca7b4a48c8a291820e04fc81a9d
-
SHA1
72f8638f3d56dbed9b6d281303b1c52ff2f0449a
-
SHA256
edf4dc19e4d3df063b1e0fe90b338aee7966d000392bb906a53006acb174900e
-
SHA512
6e63eccc525ed5004d63e41fa4549ab4bb5f252a2592c31bf9272a6d75138c2e3b74e7f4b94cf48a22aa1e207fb05fd62bd1370660eecec18c6071445ab3cfa5
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2156-115-0x0000000073890000-0x00000000738BE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2988 wrote to memory of 2156 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 2156 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 2156 2988 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\edf4dc19e4d3df063b1e0fe90b338aee7966d000392bb906a53006acb174900e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\edf4dc19e4d3df063b1e0fe90b338aee7966d000392bb906a53006acb174900e.dll,#12⤵
- Checks whether UAC is enabled