Analysis
-
max time kernel
19s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 13:31
Static task
static1
General
-
Target
00e36154c818ea31752d4d1951b98e89f13b49f1092fbefb5c17c08d1b15f2ee.dll
-
Size
158KB
-
MD5
108913140001921a49211f8b8e0638d2
-
SHA1
100b26231ecd380b00f4f8e74962d113864683fb
-
SHA256
00e36154c818ea31752d4d1951b98e89f13b49f1092fbefb5c17c08d1b15f2ee
-
SHA512
e58fdb1b8f2cb88ab81e4f42e4bd87b7fbb53717208144ea4753066fcc239bda237b0bd7535c01a0ba4ea41a2aec80d37a7b9b0ed3c667d81d92943e376f3901
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3220-115-0x00000000736D0000-0x00000000736FD000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3176 wrote to memory of 3220 3176 rundll32.exe 57 PID 3176 wrote to memory of 3220 3176 rundll32.exe 57 PID 3176 wrote to memory of 3220 3176 rundll32.exe 57
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00e36154c818ea31752d4d1951b98e89f13b49f1092fbefb5c17c08d1b15f2ee.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00e36154c818ea31752d4d1951b98e89f13b49f1092fbefb5c17c08d1b15f2ee.dll,#12⤵
- Checks whether UAC is enabled
PID:3220
-