Analysis
-
max time kernel
19s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 07:14
Static task
static1
General
-
Target
738e6046734ed85980c0c27ea6aee81113685fd0cabe37792db22fad1a3d2c87.dll
-
Size
162KB
-
MD5
becb4c59225014949f803e82b13507d5
-
SHA1
d1d683529f3fc5d6492d6b59ad9049c1d7719c67
-
SHA256
738e6046734ed85980c0c27ea6aee81113685fd0cabe37792db22fad1a3d2c87
-
SHA512
d0c63b352bb11a037905dfc68164c4a61f5bc25cb7abb15b2ca8c9092401da0ec7369bc563cd0c45566c388b3af189e50e63baa8b7b8474755df034772a29b4b
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1660-115-0x0000000073DE0000-0x0000000073E0E000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3892 wrote to memory of 1660 3892 rundll32.exe 70 PID 3892 wrote to memory of 1660 3892 rundll32.exe 70 PID 3892 wrote to memory of 1660 3892 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\738e6046734ed85980c0c27ea6aee81113685fd0cabe37792db22fad1a3d2c87.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\738e6046734ed85980c0c27ea6aee81113685fd0cabe37792db22fad1a3d2c87.dll,#12⤵
- Checks whether UAC is enabled
PID:1660
-