Analysis
-
max time kernel
37s -
max time network
44s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 22:50
Static task
static1
General
-
Target
89d98d59f5fc514bf90aa465dedc58d1117a0f24b1095b5896f22e8ae86b5a3c.dll
-
Size
161KB
-
MD5
bd4d502332d1c6cd8b7dcb72760d2ede
-
SHA1
a5ab6f2baaaaa0be038c5409bbb3418d648944b5
-
SHA256
89d98d59f5fc514bf90aa465dedc58d1117a0f24b1095b5896f22e8ae86b5a3c
-
SHA512
2502afdd8f161d784f24b6c96a10b2549dd83b4cb907584bdfffd559ad259fb4ba288ada194c638d18389f82c00cb131898e4adc94185108504caabaad49f2f5
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3872-115-0x0000000073A10000-0x0000000073A3E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3896 wrote to memory of 3872 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3872 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3872 3896 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89d98d59f5fc514bf90aa465dedc58d1117a0f24b1095b5896f22e8ae86b5a3c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89d98d59f5fc514bf90aa465dedc58d1117a0f24b1095b5896f22e8ae86b5a3c.dll,#12⤵
- Checks whether UAC is enabled