Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:18
Static task
static1
General
-
Target
5d9ed5937eacf98945d9b404e2d9d0f55717423bd8ef9ec38d39ad2e1933d563.dll
-
Size
162KB
-
MD5
9f43fccccd8f60b0edcd51bc3dc96793
-
SHA1
9ff18ec50b8a04732e5acb6c6f0024c5233fbdee
-
SHA256
5d9ed5937eacf98945d9b404e2d9d0f55717423bd8ef9ec38d39ad2e1933d563
-
SHA512
a415dc09a9b580a6aed3c108f5af3d855ebf9b627e9f4c43860a66ca6666ecbd5a203c299359c921bdaa60e4b557496a1a6c119cb05ccd79405d4be34777f2d4
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3700-115-0x00000000739D0000-0x00000000739FE000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3744 wrote to memory of 3700 3744 rundll32.exe 69 PID 3744 wrote to memory of 3700 3744 rundll32.exe 69 PID 3744 wrote to memory of 3700 3744 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d9ed5937eacf98945d9b404e2d9d0f55717423bd8ef9ec38d39ad2e1933d563.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d9ed5937eacf98945d9b404e2d9d0f55717423bd8ef9ec38d39ad2e1933d563.dll,#12⤵
- Checks whether UAC is enabled
PID:3700
-