Analysis
-
max time kernel
18s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
29-06-2021 03:56
Static task
static1
General
-
Target
ef35f528722916db01b20edf18e46d5dd310648c0d290336fd4043986a1044e6.dll
-
Size
162KB
-
MD5
6720f95aeda7afe4582238bd2ae35c3f
-
SHA1
818d350113d9dea384b56afc496b08dc66d02604
-
SHA256
ef35f528722916db01b20edf18e46d5dd310648c0d290336fd4043986a1044e6
-
SHA512
26979e357959033bf186ae720598e9324f603dcc50e73408d753b6ae6a35c87a028a4816e97771379b369db86f5d110575f5468e88ea853f088947287e79ed10
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1692-115-0x0000000073860000-0x000000007388E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3176 wrote to memory of 1692 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 1692 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 1692 3176 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef35f528722916db01b20edf18e46d5dd310648c0d290336fd4043986a1044e6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef35f528722916db01b20edf18e46d5dd310648c0d290336fd4043986a1044e6.dll,#12⤵
- Checks whether UAC is enabled
PID:1692