Analysis
-
max time kernel
25s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-06-2021 08:34
Static task
static1
General
-
Target
d4d64655a9386b53565bedaea8c2a06bd0a5975b9918e3eb9f6a34ad43fa3227.dll
-
Size
162KB
-
MD5
2983f132fb2f90970b71cbf6e912a147
-
SHA1
bc414310fab7c8a8c7b2366dab572ec14187d187
-
SHA256
d4d64655a9386b53565bedaea8c2a06bd0a5975b9918e3eb9f6a34ad43fa3227
-
SHA512
502b02c03856bb77d9060d0c1774828dc045d2d2baf2c833bc745671ed68351e7e0f8646af287f100aac91a5dfcc5c4c2b7e5881d63f227b86ddd2dfabcbb517
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/4016-115-0x0000000073560000-0x000000007358E000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3716 wrote to memory of 4016 3716 rundll32.exe 69 PID 3716 wrote to memory of 4016 3716 rundll32.exe 69 PID 3716 wrote to memory of 4016 3716 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d4d64655a9386b53565bedaea8c2a06bd0a5975b9918e3eb9f6a34ad43fa3227.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d4d64655a9386b53565bedaea8c2a06bd0a5975b9918e3eb9f6a34ad43fa3227.dll,#12⤵
- Checks whether UAC is enabled
PID:4016
-