Analysis
-
max time kernel
26s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-06-2021 08:59
Static task
static1
General
-
Target
065e5526b7684c9e2cea750fb53ad76dcc208e4dfd0033c81dcb35869e92749c.dll
-
Size
162KB
-
MD5
c990e76f4b587f69aab6f55058e2a1e1
-
SHA1
059b0edbf1fe8fcb816176e9b4625bb51d46a09c
-
SHA256
065e5526b7684c9e2cea750fb53ad76dcc208e4dfd0033c81dcb35869e92749c
-
SHA512
f05d42023ded5f8beb23f0404ba4b0e1bf1bd0524b1e4f5d0a468cadf602f356cb896a1b49ccf934ecddad97a21f99e291e1d65bc14aede12c30611c4f65665d
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4864-115-0x0000000073880000-0x00000000738AE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4800 wrote to memory of 4864 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 4864 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 4864 4800 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\065e5526b7684c9e2cea750fb53ad76dcc208e4dfd0033c81dcb35869e92749c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\065e5526b7684c9e2cea750fb53ad76dcc208e4dfd0033c81dcb35869e92749c.dll,#12⤵
- Checks whether UAC is enabled
PID:4864