Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:10
Static task
static1
General
-
Target
fb0e8b93ff559313493e62925c3b4d24976b3a093b667eff7e28badc1efd3b67.dll
-
Size
154KB
-
MD5
09a563d4f0c9dfa3273b3bb445aa6270
-
SHA1
e140388f81c4fd0fb583cc55ddcf7d589c0815bc
-
SHA256
fb0e8b93ff559313493e62925c3b4d24976b3a093b667eff7e28badc1efd3b67
-
SHA512
af7af792d394e9cc387f01a76a3ef5156044b58b8d5e4001c73d75127f8fa6c9c6e86593f875b38ddc6ef6c74143ac864b6cd681dfdf079f9913f69a5f382dc7
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1176-115-0x00000000738F0000-0x000000007391D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 856 wrote to memory of 1176 856 rundll32.exe rundll32.exe PID 856 wrote to memory of 1176 856 rundll32.exe rundll32.exe PID 856 wrote to memory of 1176 856 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb0e8b93ff559313493e62925c3b4d24976b3a093b667eff7e28badc1efd3b67.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb0e8b93ff559313493e62925c3b4d24976b3a093b667eff7e28badc1efd3b67.dll,#12⤵
- Checks whether UAC is enabled