Analysis
-
max time kernel
104s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:08
Static task
static1
General
-
Target
63b362c6f8a1f46f1ba1493fe9e75376381ee9a43814c28b4ef18179a0ae2972.dll
-
Size
157KB
-
MD5
aea309fc9c9e67f4fbe469c1c7c1fb61
-
SHA1
835d32b1858be7e2f6af426a9aa753177797d49b
-
SHA256
63b362c6f8a1f46f1ba1493fe9e75376381ee9a43814c28b4ef18179a0ae2972
-
SHA512
058122558a9556d28f02688b9e01594d77812be1f4e8f35ceb6a970251f0c45a8beac42e68588031075b774a1b4f2810c5be521164443544e45afb5bf3cdef4a
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3480-115-0x0000000073660000-0x000000007368D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4008 wrote to memory of 3480 4008 rundll32.exe rundll32.exe PID 4008 wrote to memory of 3480 4008 rundll32.exe rundll32.exe PID 4008 wrote to memory of 3480 4008 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63b362c6f8a1f46f1ba1493fe9e75376381ee9a43814c28b4ef18179a0ae2972.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63b362c6f8a1f46f1ba1493fe9e75376381ee9a43814c28b4ef18179a0ae2972.dll,#12⤵
- Checks whether UAC is enabled