Analysis
-
max time kernel
19s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-06-2021 23:55
Static task
static1
General
-
Target
64ff202ae5128e53cb2373d15487e5ee332957fba4e30a9235c5c878d389753c.dll
-
Size
162KB
-
MD5
8f15cf902cb351a5fd75b2c2b048e193
-
SHA1
6846b91aec5299b9820284bac0618a1377f2d72b
-
SHA256
64ff202ae5128e53cb2373d15487e5ee332957fba4e30a9235c5c878d389753c
-
SHA512
5bfac65c238b9ce4d64fb1649bccfe1f71d9dd394068e2d66e4bf83982ac5eaa74d430c8b49c8433fd8e72a6da5f431ca236f9c67048f439be0e6f005b757088
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3452-115-0x00000000742E0000-0x000000007430E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4084 wrote to memory of 3452 4084 rundll32.exe rundll32.exe PID 4084 wrote to memory of 3452 4084 rundll32.exe rundll32.exe PID 4084 wrote to memory of 3452 4084 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\64ff202ae5128e53cb2373d15487e5ee332957fba4e30a9235c5c878d389753c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\64ff202ae5128e53cb2373d15487e5ee332957fba4e30a9235c5c878d389753c.dll,#12⤵
- Checks whether UAC is enabled