Analysis
-
max time kernel
36s -
max time network
43s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:18
Static task
static1
General
-
Target
96f78b847b1430f4f551093be5c6ea63f1f4b3b855b39fda6143cb91754e372e.dll
-
Size
157KB
-
MD5
5d227f58fad191b6a2c74b3f33fd2929
-
SHA1
afd62828aecc042de94989262a56c4a4d91f3695
-
SHA256
96f78b847b1430f4f551093be5c6ea63f1f4b3b855b39fda6143cb91754e372e
-
SHA512
b5564c582cf59d04999a40aa55db74c3053a8e0991873e128ab7a58f07a1448f3e6bb61356e9f761fe077d913527e05b1b223ad917982fbb966a27a984073813
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1140-115-0x0000000073F10000-0x0000000073F3D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 488 wrote to memory of 1140 488 rundll32.exe rundll32.exe PID 488 wrote to memory of 1140 488 rundll32.exe rundll32.exe PID 488 wrote to memory of 1140 488 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\96f78b847b1430f4f551093be5c6ea63f1f4b3b855b39fda6143cb91754e372e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\96f78b847b1430f4f551093be5c6ea63f1f4b3b855b39fda6143cb91754e372e.dll,#12⤵
- Checks whether UAC is enabled