Analysis
-
max time kernel
27s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-06-2021 12:55
Static task
static1
General
-
Target
d2524a68c0b6302a88d3ae157fba04e4d3b1881cc3a636f8fa323cf90f3a7a1c.dll
-
Size
162KB
-
MD5
29431722d8ca241c3e1f03dd9d6a485e
-
SHA1
fe516fb408d725ad6a4ba4ebc0737fe6c75c875e
-
SHA256
d2524a68c0b6302a88d3ae157fba04e4d3b1881cc3a636f8fa323cf90f3a7a1c
-
SHA512
1a56cb0436b118c1b1fdce917ce0c372b34b6ec9c05d41a4ea342af710f9d6bd431158d8b100b7add54c3eeb21833f3754ad534852d2e6ce07ea5f8fa505b3ed
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/4052-115-0x0000000074260000-0x000000007428E000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 996 wrote to memory of 4052 996 rundll32.exe 72 PID 996 wrote to memory of 4052 996 rundll32.exe 72 PID 996 wrote to memory of 4052 996 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2524a68c0b6302a88d3ae157fba04e4d3b1881cc3a636f8fa323cf90f3a7a1c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2524a68c0b6302a88d3ae157fba04e4d3b1881cc3a636f8fa323cf90f3a7a1c.dll,#12⤵
- Checks whether UAC is enabled
PID:4052
-