Analysis
-
max time kernel
98s -
max time network
100s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:17
Static task
static1
General
-
Target
9ba499a42056bd73b8c61dd0b716570211b3389ef4be7869f38f02c309613e51.dll
-
Size
154KB
-
MD5
5aad387340c592e059dea731da56f7ef
-
SHA1
efae87e3d52a81b877c55716c8a7e6c16ded19fb
-
SHA256
9ba499a42056bd73b8c61dd0b716570211b3389ef4be7869f38f02c309613e51
-
SHA512
b659e0dfdbc55dcc0b6ed54e6d33d5e4b64c2e6cd66ee45fbec9297de0e65ae8a8e11b241d90142e8d4fa8f156d6aafce4d4d8a13e0319dcaa3ee58dc26285c1
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4704-115-0x0000000073C30000-0x0000000073C5D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4656 wrote to memory of 4704 4656 rundll32.exe rundll32.exe PID 4656 wrote to memory of 4704 4656 rundll32.exe rundll32.exe PID 4656 wrote to memory of 4704 4656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ba499a42056bd73b8c61dd0b716570211b3389ef4be7869f38f02c309613e51.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ba499a42056bd73b8c61dd0b716570211b3389ef4be7869f38f02c309613e51.dll,#12⤵
- Checks whether UAC is enabled