Analysis
-
max time kernel
100s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:07
Static task
static1
General
-
Target
54963ae4b4fdd4fe4ab421d2911823ba792f53129ef2b1486183fccdf661ea8c.dll
-
Size
154KB
-
MD5
1b3302b2acf96cb15821fb66c54b6a5e
-
SHA1
7e8a3f6619f562867973e634503c66cb6e162653
-
SHA256
54963ae4b4fdd4fe4ab421d2911823ba792f53129ef2b1486183fccdf661ea8c
-
SHA512
e6e0ba8944dab60e55a06ed14df85a617dd8a74d38cdbc0f3eedb7e2d80f25f97a4515667e8416f7a303e65d26d783b05db9464aaf90d56fe875c0bb752b3442
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4076-115-0x00000000755E0000-0x000000007560D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3944 wrote to memory of 4076 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 4076 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 4076 3944 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54963ae4b4fdd4fe4ab421d2911823ba792f53129ef2b1486183fccdf661ea8c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54963ae4b4fdd4fe4ab421d2911823ba792f53129ef2b1486183fccdf661ea8c.dll,#12⤵
- Checks whether UAC is enabled