Analysis
-
max time kernel
29s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:18
Static task
static1
Behavioral task
behavioral1
Sample
ce0091e9b13fe56e43305dfdef6d9273ad6ec223eb66d07cdea0a3393c0ec20a.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
ce0091e9b13fe56e43305dfdef6d9273ad6ec223eb66d07cdea0a3393c0ec20a.dll
-
Size
154KB
-
MD5
e1a0dc65a92ef232983325d350e235a3
-
SHA1
765d3f9abb31e40093795b8a8dd1b1c73ec31f09
-
SHA256
ce0091e9b13fe56e43305dfdef6d9273ad6ec223eb66d07cdea0a3393c0ec20a
-
SHA512
626da98a4030a8bb630fa06738a276dfcf515e04b1e4ec94686e85e40b8ad6c06dd8cbb6829f66d4175351704a1d3cbe79467d37dc13b08a4bc96ca908ec07dc
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1112-115-0x0000000073FB0000-0x0000000073FDD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 648 wrote to memory of 1112 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 1112 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 1112 648 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce0091e9b13fe56e43305dfdef6d9273ad6ec223eb66d07cdea0a3393c0ec20a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce0091e9b13fe56e43305dfdef6d9273ad6ec223eb66d07cdea0a3393c0ec20a.dll,#12⤵
- Checks whether UAC is enabled