Analysis
-
max time kernel
37s -
max time network
47s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 21:44
Static task
static1
General
-
Target
a932c1d7e3dce808218b468404f68adb3db783e76a06df4a8ce06f3f80c17dd2.dll
-
Size
154KB
-
MD5
9ef94b134a00126f13b5fd602a42e95f
-
SHA1
f8434d47d74af07696bc034d683daae37ee73cc2
-
SHA256
a932c1d7e3dce808218b468404f68adb3db783e76a06df4a8ce06f3f80c17dd2
-
SHA512
c430d66de1aa9f1dd7d3f0562924278c134f8f7ed652dbd26fda8b795db604978d2476e594a0a0648500cb56b69c671af235a9b9e131c02c2aa1b25a44b2cbc8
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3764-115-0x0000000073A10000-0x0000000073A3D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3896 wrote to memory of 3764 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3764 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3764 3896 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a932c1d7e3dce808218b468404f68adb3db783e76a06df4a8ce06f3f80c17dd2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a932c1d7e3dce808218b468404f68adb3db783e76a06df4a8ce06f3f80c17dd2.dll,#12⤵
- Checks whether UAC is enabled