Analysis
-
max time kernel
27s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 20:04
Static task
static1
Behavioral task
behavioral1
Sample
35e2097fcf7b343fc48132b8bae18fa6fe7cb8d8bb277e650576a9633573cc34.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
35e2097fcf7b343fc48132b8bae18fa6fe7cb8d8bb277e650576a9633573cc34.dll
-
Size
157KB
-
MD5
6508469bdacc5c2b1da9c869671bb3f6
-
SHA1
082998c64bb960f05b6f88fb2e25bad8ede48ca8
-
SHA256
35e2097fcf7b343fc48132b8bae18fa6fe7cb8d8bb277e650576a9633573cc34
-
SHA512
a8f966c0dc5d91ec64239275450a20f0a1effa7de9a07752c583b7f3786397248269564d9090b104cb5b17958e69d5b9ae5a2f37c76715c0468a67f391814090
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3964-115-0x00000000735D0000-0x00000000735FD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3912 wrote to memory of 3964 3912 rundll32.exe rundll32.exe PID 3912 wrote to memory of 3964 3912 rundll32.exe rundll32.exe PID 3912 wrote to memory of 3964 3912 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\35e2097fcf7b343fc48132b8bae18fa6fe7cb8d8bb277e650576a9633573cc34.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\35e2097fcf7b343fc48132b8bae18fa6fe7cb8d8bb277e650576a9633573cc34.dll,#12⤵
- Checks whether UAC is enabled