Analysis
-
max time kernel
114s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:07
Static task
static1
General
-
Target
1fa0625798c3d9042acf8dc0f1ac523b1dc5f2a2334f2432a556a3df6624c4d9.dll
-
Size
154KB
-
MD5
3059deb7232f190cee5b9586f2f0b912
-
SHA1
d8312885852c61f36b5ffec23fe0c992a41c5ca9
-
SHA256
1fa0625798c3d9042acf8dc0f1ac523b1dc5f2a2334f2432a556a3df6624c4d9
-
SHA512
e3a438cc8651c721a317a7bcaaf733c0ad53482ec4429a38e1db0c1d6b90bcc63dfe107d6ff4a3837b17051e36b96e4f963349a8b9fb8676dd1379cf8e9479db
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1832-115-0x0000000073620000-0x000000007364D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 584 wrote to memory of 1832 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 1832 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 1832 584 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1fa0625798c3d9042acf8dc0f1ac523b1dc5f2a2334f2432a556a3df6624c4d9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1fa0625798c3d9042acf8dc0f1ac523b1dc5f2a2334f2432a556a3df6624c4d9.dll,#12⤵
- Checks whether UAC is enabled