Analysis
-
max time kernel
35s -
max time network
45s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:01
Static task
static1
General
-
Target
e22cfbea40fbc3026ee5099ce3527ef8c4f07de3faee00725b459e515ea952d4.dll
-
Size
157KB
-
MD5
6f306eb6d09d9c70f75b1520c0db6f51
-
SHA1
522b527fea4f994ded30955e0736674ea218c8ca
-
SHA256
e22cfbea40fbc3026ee5099ce3527ef8c4f07de3faee00725b459e515ea952d4
-
SHA512
3a079baa62a9f2c5bff56478c588e282bf4a97478fea5c6f5b90123964590184870f20d720778662b3903d194ca8cc5ed658a39e4ef0cf6a0e56b330eb6fdeef
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3196-115-0x0000000074380000-0x00000000743AD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3724 wrote to memory of 3196 3724 rundll32.exe rundll32.exe PID 3724 wrote to memory of 3196 3724 rundll32.exe rundll32.exe PID 3724 wrote to memory of 3196 3724 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e22cfbea40fbc3026ee5099ce3527ef8c4f07de3faee00725b459e515ea952d4.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e22cfbea40fbc3026ee5099ce3527ef8c4f07de3faee00725b459e515ea952d4.dll,#12⤵
- Checks whether UAC is enabled