Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 18:18
Static task
static1
Behavioral task
behavioral1
Sample
05bb6cecbc8dfce3d509a8613196e55094ee2af4071bd99d3ce80fa4a631935e.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
05bb6cecbc8dfce3d509a8613196e55094ee2af4071bd99d3ce80fa4a631935e.dll
-
Size
154KB
-
MD5
c5d6668dde886a47f3ac9f1c8ddaa07b
-
SHA1
7a6081b591856e1ec919839ae1d3a07d0496fef5
-
SHA256
05bb6cecbc8dfce3d509a8613196e55094ee2af4071bd99d3ce80fa4a631935e
-
SHA512
171fa8f403d689b5b3a507791b130366da1f8c2212d3f7d882f25897695cfe5b276f65b6023b1f17e046e1ef5a6bbf9bd41fe2cc9c60b835a3860f6733c0f54b
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1840-61-0x0000000074DC0000-0x0000000074DED000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1756 wrote to memory of 1840 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1840 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1840 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1840 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1840 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1840 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1840 1756 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05bb6cecbc8dfce3d509a8613196e55094ee2af4071bd99d3ce80fa4a631935e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05bb6cecbc8dfce3d509a8613196e55094ee2af4071bd99d3ce80fa4a631935e.dll,#12⤵
- Checks whether UAC is enabled
PID:1840
-