Analysis
-
max time kernel
26s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 07:02
Static task
static1
General
-
Target
12b70758d432c5ba73934a71bb229c09bdcab957d7e89aff49a1656e78888b99.dll
-
Size
162KB
-
MD5
6cdd6669cb66336de4a6c773e4bd7b43
-
SHA1
38f878a5504ee808f158db22726ecad199aab5ab
-
SHA256
12b70758d432c5ba73934a71bb229c09bdcab957d7e89aff49a1656e78888b99
-
SHA512
e8fb3db0d27b2bf8e671990ab40977485394e2544842cfda059f65d95bc507911a0562638f167cc3f19a9c31c8df937c3facb11c5b4f7d9c7ec557ddc16941fe
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4872-115-0x0000000073880000-0x00000000738AE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4796 wrote to memory of 4872 4796 rundll32.exe rundll32.exe PID 4796 wrote to memory of 4872 4796 rundll32.exe rundll32.exe PID 4796 wrote to memory of 4872 4796 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12b70758d432c5ba73934a71bb229c09bdcab957d7e89aff49a1656e78888b99.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12b70758d432c5ba73934a71bb229c09bdcab957d7e89aff49a1656e78888b99.dll,#12⤵
- Checks whether UAC is enabled