Analysis
-
max time kernel
18s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 13:41
Static task
static1
General
-
Target
12037ced039b7295d9ff46fe0bcd60601aaf2196b1b778206843aab88841046c.dll
-
Size
162KB
-
MD5
5383a519d0c6bc59404f52e4d17af7e5
-
SHA1
dcdd7b8ff116ee6e90a73a9c1316c9e24d9ca65c
-
SHA256
12037ced039b7295d9ff46fe0bcd60601aaf2196b1b778206843aab88841046c
-
SHA512
99b4a21e0cfcf1fb986fbf09db5ae01548519c56fca6a3acbdfc64443337a123329ec5b1cfb93578920acdc82775a5eb8ba836df32092b3b253f9ba87a7bfa19
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3220-115-0x00000000736D0000-0x00000000736FE000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1892 wrote to memory of 3220 1892 rundll32.exe 66 PID 1892 wrote to memory of 3220 1892 rundll32.exe 66 PID 1892 wrote to memory of 3220 1892 rundll32.exe 66
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12037ced039b7295d9ff46fe0bcd60601aaf2196b1b778206843aab88841046c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12037ced039b7295d9ff46fe0bcd60601aaf2196b1b778206843aab88841046c.dll,#12⤵
- Checks whether UAC is enabled
PID:3220
-