Analysis
-
max time kernel
38s -
max time network
46s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:11
Static task
static1
General
-
Target
c43f42479ceb17cfe0342acd32a1ed0216166a646fa8633bb1aa4efee269c196.dll
-
Size
154KB
-
MD5
7c8acbd8a01ddf731d163c3d4b13b24d
-
SHA1
39c71a51c934e4bcd0bdb3e69b052fc8eff48208
-
SHA256
c43f42479ceb17cfe0342acd32a1ed0216166a646fa8633bb1aa4efee269c196
-
SHA512
403567cad0489c80e66085bfff6f69490049e755efa686c9cfa96c093a616fe678a8cb7a9d27e261649ea1b837388996dca43aeb1294db1e974fa1eba6c8edbb
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3908-115-0x00000000735D0000-0x00000000735FD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3916 wrote to memory of 3908 3916 rundll32.exe rundll32.exe PID 3916 wrote to memory of 3908 3916 rundll32.exe rundll32.exe PID 3916 wrote to memory of 3908 3916 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c43f42479ceb17cfe0342acd32a1ed0216166a646fa8633bb1aa4efee269c196.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c43f42479ceb17cfe0342acd32a1ed0216166a646fa8633bb1aa4efee269c196.dll,#12⤵
- Checks whether UAC is enabled
PID:3908