Analysis
-
max time kernel
38s -
max time network
49s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:44
Static task
static1
General
-
Target
d22633d068e77142a5e90e378d8d856a91b69e42e721b366354af2d67bbde0e9.dll
-
Size
154KB
-
MD5
ac08cb97ed57b489ec1c5e65f7125544
-
SHA1
4d7d1efb51d834097a28c7f6874c77acd02a6ef5
-
SHA256
d22633d068e77142a5e90e378d8d856a91b69e42e721b366354af2d67bbde0e9
-
SHA512
20e9dab127229b6c7aa7f9bd9018f3c5778e4151ce90a8df7874b287ceaf507a4fd5ee9fa762552ae66f2b64a38528ef2426534479c49bffccba34fbc0cf0ec5
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1136-115-0x0000000074160000-0x000000007418D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 908 wrote to memory of 1136 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1136 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1136 908 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d22633d068e77142a5e90e378d8d856a91b69e42e721b366354af2d67bbde0e9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d22633d068e77142a5e90e378d8d856a91b69e42e721b366354af2d67bbde0e9.dll,#12⤵
- Checks whether UAC is enabled