Analysis
-
max time kernel
19s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:10
Static task
static1
General
-
Target
76ae0a41c471ed439947b97fe3fc7716ac156165e199ee99e2766dd3d0677b97.dll
-
Size
162KB
-
MD5
a2ad9ac5c049e633805972689ffbc63c
-
SHA1
fa26d217765eadf5ef550f55e0fd1fd57e826d7d
-
SHA256
76ae0a41c471ed439947b97fe3fc7716ac156165e199ee99e2766dd3d0677b97
-
SHA512
d4626ca19819a9ca9b8c8c0f68fd9d5181c494168c0e2b1de9283264dc1d8b80df553fe48b81b9830d47de5305dd784cf0068f6d437f70c898760a7e0a8e0e01
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3984-115-0x0000000073BF0000-0x0000000073C1E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3152 wrote to memory of 3984 3152 rundll32.exe rundll32.exe PID 3152 wrote to memory of 3984 3152 rundll32.exe rundll32.exe PID 3152 wrote to memory of 3984 3152 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76ae0a41c471ed439947b97fe3fc7716ac156165e199ee99e2766dd3d0677b97.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76ae0a41c471ed439947b97fe3fc7716ac156165e199ee99e2766dd3d0677b97.dll,#12⤵
- Checks whether UAC is enabled