Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
29-06-2021 06:57
Static task
static1
General
-
Target
7371001362933249cd5700e79a30629ee2857ca1e59e23b18b9d3be74f054b89.dll
-
Size
162KB
-
MD5
b39dac2e1478878de5c607cad0a423a3
-
SHA1
c4db30c1a8589d54ce64720e2697fd8e56af00c6
-
SHA256
7371001362933249cd5700e79a30629ee2857ca1e59e23b18b9d3be74f054b89
-
SHA512
402b82e8dfaae874305eba17a5a18d8ac76b16adca40627e05964469ffa1c999a18c4036c3878661e605fcb7fe083e085df48dcb790e213dca318357d85602e2
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3160-115-0x00000000735D0000-0x00000000735FE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1496 wrote to memory of 3160 1496 rundll32.exe rundll32.exe PID 1496 wrote to memory of 3160 1496 rundll32.exe rundll32.exe PID 1496 wrote to memory of 3160 1496 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7371001362933249cd5700e79a30629ee2857ca1e59e23b18b9d3be74f054b89.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7371001362933249cd5700e79a30629ee2857ca1e59e23b18b9d3be74f054b89.dll,#12⤵
- Checks whether UAC is enabled
PID:3160