Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:13
Static task
static1
General
-
Target
27d59d0e50228039b4452617f5cb37468d1054700fc208b73842c9a750169438.dll
-
Size
162KB
-
MD5
8cdeca51c5572f5b0a2908e82f6928ac
-
SHA1
7da36d9f090d9b854adf3b56b19df7e36159bd37
-
SHA256
27d59d0e50228039b4452617f5cb37468d1054700fc208b73842c9a750169438
-
SHA512
140be5e377901dbd5c4d9b2cc80c618a336711dd43f106fa6dd3baba5c6a78350bd58dfe70f06233aa2b5c52437f37b7b51e809c4ed22510deb3008a0526f8da
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3024-115-0x0000000073AA0000-0x0000000073ACE000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3024 3016 rundll32.exe 72 PID 3016 wrote to memory of 3024 3016 rundll32.exe 72 PID 3016 wrote to memory of 3024 3016 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27d59d0e50228039b4452617f5cb37468d1054700fc208b73842c9a750169438.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27d59d0e50228039b4452617f5cb37468d1054700fc208b73842c9a750169438.dll,#12⤵
- Checks whether UAC is enabled
PID:3024
-