Analysis
-
max time kernel
97s -
max time network
97s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 23:46
Static task
static1
General
-
Target
7692f04159b49f1ce8c0c4efc3fec442ba2331c1e76ff57c2c833618e58964d9.dll
-
Size
154KB
-
MD5
166828817995fbefe7547876c6e6a3ae
-
SHA1
2bb7570eea6759ad6b983cd4f0a919c71e47ffff
-
SHA256
7692f04159b49f1ce8c0c4efc3fec442ba2331c1e76ff57c2c833618e58964d9
-
SHA512
0920b00776fba497c041386c69c8644e734fbe4ac3fcf7ddd251d21c2f2646a0bdbd471b825fc6abbabb2048672f642e2966a68ee40842e1b5e29d3cea577a78
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3236-115-0x0000000073F20000-0x0000000073F4D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3728 wrote to memory of 3236 3728 rundll32.exe rundll32.exe PID 3728 wrote to memory of 3236 3728 rundll32.exe rundll32.exe PID 3728 wrote to memory of 3236 3728 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7692f04159b49f1ce8c0c4efc3fec442ba2331c1e76ff57c2c833618e58964d9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7692f04159b49f1ce8c0c4efc3fec442ba2331c1e76ff57c2c833618e58964d9.dll,#12⤵
- Checks whether UAC is enabled