Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:44
Static task
static1
General
-
Target
25c24cf0d1d05560cdc7c8f3c3453c91c15f2e2f3861dfde0ab5bec8f1758792.dll
-
Size
154KB
-
MD5
38d1499da04ad52b677bde9b4b92bf6b
-
SHA1
59b906a424c93cd2f15ffc990bcd2583b0a0e8e6
-
SHA256
25c24cf0d1d05560cdc7c8f3c3453c91c15f2e2f3861dfde0ab5bec8f1758792
-
SHA512
1bc646f622845bc86a7fdee5afffd3c0dd8a5606c6acab4035cd0df607968db66f8fd4d0aac2915e551775a01578342f92a98f9f055a1e1ca96c806ceeceb25e
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1420-115-0x00000000738F0000-0x000000007391D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 856 wrote to memory of 1420 856 rundll32.exe rundll32.exe PID 856 wrote to memory of 1420 856 rundll32.exe rundll32.exe PID 856 wrote to memory of 1420 856 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\25c24cf0d1d05560cdc7c8f3c3453c91c15f2e2f3861dfde0ab5bec8f1758792.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\25c24cf0d1d05560cdc7c8f3c3453c91c15f2e2f3861dfde0ab5bec8f1758792.dll,#12⤵
- Checks whether UAC is enabled