Analysis
-
max time kernel
22s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 03:41
Static task
static1
General
-
Target
e937a97c5378b0328863623e15530e56cdbcc34f15ca6e1fadb424444b11024e.dll
-
Size
162KB
-
MD5
7ebe0c90fc0518d9ba465a9bae667411
-
SHA1
033247741f8daa191e2065345f6ebe614fd43089
-
SHA256
e937a97c5378b0328863623e15530e56cdbcc34f15ca6e1fadb424444b11024e
-
SHA512
df803aea80b229871462b4bd5ebf0844aac03b12257008345096ad15d3fe8b3349e3788dc48f70c43b0ce2c650568715338a2465ab611ddf7bd1653651d4d13b
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/2208-115-0x0000000073BF0000-0x0000000073C1E000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3152 wrote to memory of 2208 3152 rundll32.exe 70 PID 3152 wrote to memory of 2208 3152 rundll32.exe 70 PID 3152 wrote to memory of 2208 3152 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e937a97c5378b0328863623e15530e56cdbcc34f15ca6e1fadb424444b11024e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e937a97c5378b0328863623e15530e56cdbcc34f15ca6e1fadb424444b11024e.dll,#12⤵
- Checks whether UAC is enabled
PID:2208
-