Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 07:34
Static task
static1
General
-
Target
7e93400d66225439aeaeb2be13a9b4db0b9588093d2f3a5a56ef6079856d43a0.dll
-
Size
162KB
-
MD5
dfeffc8d915edb2c985d533e6f9dbfc4
-
SHA1
3505442acb4e09baea460d1e3c32c039364936c2
-
SHA256
7e93400d66225439aeaeb2be13a9b4db0b9588093d2f3a5a56ef6079856d43a0
-
SHA512
19c6d71bc845d2d45cfd3f86f1eb0f0ba1bc0a89cb49c15af6652ec90f7e5c3d873b65e39bba3627c6df858cd4a5f4552e38761a043beb801d8f9f049177ca61
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3188-115-0x00000000741E0000-0x000000007420E000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3956 wrote to memory of 3188 3956 rundll32.exe 69 PID 3956 wrote to memory of 3188 3956 rundll32.exe 69 PID 3956 wrote to memory of 3188 3956 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e93400d66225439aeaeb2be13a9b4db0b9588093d2f3a5a56ef6079856d43a0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e93400d66225439aeaeb2be13a9b4db0b9588093d2f3a5a56ef6079856d43a0.dll,#12⤵
- Checks whether UAC is enabled
PID:3188
-