Analysis
-
max time kernel
105s -
max time network
107s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:11
Static task
static1
General
-
Target
655153a04937434c5493ec742414c2defa9e324598c1d14ac653796e8591682d.dll
-
Size
154KB
-
MD5
f6248680060f00435c30fdcc1f2eb68d
-
SHA1
6c48a183a183f3bd1639931d48fbbcd5e0aa6db7
-
SHA256
655153a04937434c5493ec742414c2defa9e324598c1d14ac653796e8591682d
-
SHA512
72bd5eb7b56d938640346f887e631e103c79227d33a80ed25d56280a60e079077c4e4a9686c3b47e72581a533c2484c034860d62487805c0e780207b89783622
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1248-115-0x0000000073A90000-0x0000000073ABD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 512 wrote to memory of 1248 512 rundll32.exe rundll32.exe PID 512 wrote to memory of 1248 512 rundll32.exe rundll32.exe PID 512 wrote to memory of 1248 512 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\655153a04937434c5493ec742414c2defa9e324598c1d14ac653796e8591682d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\655153a04937434c5493ec742414c2defa9e324598c1d14ac653796e8591682d.dll,#12⤵
- Checks whether UAC is enabled