Analysis
-
max time kernel
27s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-06-2021 07:23
Static task
static1
General
-
Target
774bf42a3d77a0a623407eadbf886b8679e18d482fe834c978c3ed25c76b27ae.dll
-
Size
158KB
-
MD5
9b729ae61eeecca5cb1d1d03745ed2f8
-
SHA1
6a3442a9d3dd87ade2224c704c78abf19cc8846f
-
SHA256
774bf42a3d77a0a623407eadbf886b8679e18d482fe834c978c3ed25c76b27ae
-
SHA512
1c1e31873dc5d95bdf12a665a3847881ccf4b963d9ac0adc13422848f362d95d311b09b8bdeee68784e38471bc9e3276336c789132b010c5213e1f73fb1a6a47
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3956-115-0x0000000073990000-0x00000000739BD000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3128 wrote to memory of 3956 3128 rundll32.exe 70 PID 3128 wrote to memory of 3956 3128 rundll32.exe 70 PID 3128 wrote to memory of 3956 3128 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\774bf42a3d77a0a623407eadbf886b8679e18d482fe834c978c3ed25c76b27ae.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\774bf42a3d77a0a623407eadbf886b8679e18d482fe834c978c3ed25c76b27ae.dll,#12⤵
- Checks whether UAC is enabled
PID:3956
-