Analysis
-
max time kernel
41s -
max time network
49s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:07
Static task
static1
General
-
Target
bff76d79cb5ebf7c2d171d265399e27ddc9494fd5d369cef63928b532751dd23.dll
-
Size
157KB
-
MD5
823868adfaa675feb27d75b8ef3aea66
-
SHA1
1e9d88a6d486e45584d9cf40c550a8126dbd8312
-
SHA256
bff76d79cb5ebf7c2d171d265399e27ddc9494fd5d369cef63928b532751dd23
-
SHA512
5beea4e387db7c492e727e64d439d2519be25245ee83eb786929e13d50854b792fe14f350fce8f593d736e91b597fe4ece7eb739ff7a73169918916bd46bf5b0
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3700-115-0x0000000073EE0000-0x0000000073F0D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4060 wrote to memory of 3700 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 3700 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 3700 4060 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bff76d79cb5ebf7c2d171d265399e27ddc9494fd5d369cef63928b532751dd23.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bff76d79cb5ebf7c2d171d265399e27ddc9494fd5d369cef63928b532751dd23.dll,#12⤵
- Checks whether UAC is enabled