Analysis
-
max time kernel
38s -
max time network
46s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 23:46
Static task
static1
General
-
Target
a19e683b274b29ab58c07de3e31ba771743feb88764c9ddac730d19cb3ac9ede.dll
-
Size
160KB
-
MD5
2ed708676a3b32986d444650a1db8eb2
-
SHA1
838a07a097bc1654290c2f26009678a3955bff97
-
SHA256
a19e683b274b29ab58c07de3e31ba771743feb88764c9ddac730d19cb3ac9ede
-
SHA512
6a93187a798fd8a683781419dd8e89215c46c0489e88054508513221e0be25609300343918b0133f2a40cef7e590fb1b919b1ef0bd3b7776e3a385c39358e8e3
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2404-115-0x00000000742B0000-0x00000000742DE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3424 wrote to memory of 2404 3424 rundll32.exe rundll32.exe PID 3424 wrote to memory of 2404 3424 rundll32.exe rundll32.exe PID 3424 wrote to memory of 2404 3424 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a19e683b274b29ab58c07de3e31ba771743feb88764c9ddac730d19cb3ac9ede.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a19e683b274b29ab58c07de3e31ba771743feb88764c9ddac730d19cb3ac9ede.dll,#12⤵
- Checks whether UAC is enabled