Analysis
-
max time kernel
95s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:07
Static task
static1
General
-
Target
54f6d6235647930634ead35874205fc5a88ce92bf33cfef761c6f6d18fb0c9f3.dll
-
Size
157KB
-
MD5
a6e9423a7fc85f274e831b34ef002098
-
SHA1
e8fa45ed002024dc6288adaf3f78e78210856087
-
SHA256
54f6d6235647930634ead35874205fc5a88ce92bf33cfef761c6f6d18fb0c9f3
-
SHA512
32f41741f6f16953c40d9881da7ea3ac7b35baf77bbd82ecda6604c7d11bf25e28661afc40e26f68543d5ca4faa2a29a6bf52375f2768c3a1dbb413234c67f67
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1948-115-0x0000000073990000-0x00000000739BD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1456 wrote to memory of 1948 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1948 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1948 1456 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54f6d6235647930634ead35874205fc5a88ce92bf33cfef761c6f6d18fb0c9f3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54f6d6235647930634ead35874205fc5a88ce92bf33cfef761c6f6d18fb0c9f3.dll,#12⤵
- Checks whether UAC is enabled