Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:02
Static task
static1
General
-
Target
41522735eca45af9769505dc3cb1558c73a96a447cdfbc71ba2bcdf70c661bd5.dll
-
Size
157KB
-
MD5
bbc8e463be5f746f0c62393abc12de87
-
SHA1
e0ce4e3f5af106718f94833c4a4934f56c8eebd2
-
SHA256
41522735eca45af9769505dc3cb1558c73a96a447cdfbc71ba2bcdf70c661bd5
-
SHA512
f16b10eb6596379668843a685d32012ce27a8ac00d277ba0dc9ae140a6e76f03d9f880455d625ee9b6bf7b51e7e9cf3e04d2268f5255567c4bdb956731766cd8
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/364-115-0x0000000074430000-0x000000007445D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 764 wrote to memory of 364 764 rundll32.exe rundll32.exe PID 764 wrote to memory of 364 764 rundll32.exe rundll32.exe PID 764 wrote to memory of 364 764 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41522735eca45af9769505dc3cb1558c73a96a447cdfbc71ba2bcdf70c661bd5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41522735eca45af9769505dc3cb1558c73a96a447cdfbc71ba2bcdf70c661bd5.dll,#12⤵
- Checks whether UAC is enabled