Analysis
-
max time kernel
49s -
max time network
58s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:11
Static task
static1
General
-
Target
9237fbf00f65f2292bd4f6b9e14e1cb274559bdd30e34c4072ede9beea4340c9.dll
-
Size
157KB
-
MD5
be60cc1e302710d36c08dfabfc948616
-
SHA1
3dc30074930ecc5018d5e2a61a76e25068ef0c7f
-
SHA256
9237fbf00f65f2292bd4f6b9e14e1cb274559bdd30e34c4072ede9beea4340c9
-
SHA512
2a1752eb4cf00df66b0fe6ee633ef3bc8002b38c83df47407977fb3d442150a203c3c91d0871c40937165cd595828d381c2d7828ab346762480cce2de6497a34
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1496-115-0x00000000735E0000-0x000000007360D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3968 wrote to memory of 1496 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 1496 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 1496 3968 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9237fbf00f65f2292bd4f6b9e14e1cb274559bdd30e34c4072ede9beea4340c9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9237fbf00f65f2292bd4f6b9e14e1cb274559bdd30e34c4072ede9beea4340c9.dll,#12⤵
- Checks whether UAC is enabled