Analysis
-
max time kernel
19s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 08:48
Static task
static1
General
-
Target
ce2b8a0895662f123ca268c82c9d2eeae865d17fae7aa1976f8a757777f912d9.dll
-
Size
162KB
-
MD5
fa717b550e19825f6c5489c1fb577816
-
SHA1
c595f15dc2e0e5d70e555698122d38a5bf42c399
-
SHA256
ce2b8a0895662f123ca268c82c9d2eeae865d17fae7aa1976f8a757777f912d9
-
SHA512
a8afd19e8cc821690c2ea1d6c4235abc7fecd1b89908ec367de6d23dcf009b9e6cf406a0b724a787fc59b5150ade3700e6ec4835c1496a731b5fc20e397d02f0
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/4052-115-0x0000000073F20000-0x0000000073F4E000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4020 wrote to memory of 4052 4020 rundll32.exe 68 PID 4020 wrote to memory of 4052 4020 rundll32.exe 68 PID 4020 wrote to memory of 4052 4020 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce2b8a0895662f123ca268c82c9d2eeae865d17fae7aa1976f8a757777f912d9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce2b8a0895662f123ca268c82c9d2eeae865d17fae7aa1976f8a757777f912d9.dll,#12⤵
- Checks whether UAC is enabled
PID:4052
-