Analysis
-
max time kernel
90s -
max time network
92s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:17
Static task
static1
General
-
Target
7b6e8dc4fa45951c1aa14972bca5631c6eed944f9b7fe7e808a5329aeb12b3c5.dll
-
Size
154KB
-
MD5
966024e98e57021fdc2aa0697b6d13c4
-
SHA1
e95be9f63d9933de2b24437bbfbc43990815ac0e
-
SHA256
7b6e8dc4fa45951c1aa14972bca5631c6eed944f9b7fe7e808a5329aeb12b3c5
-
SHA512
1db631d098411a04373fb9058a6a46da587f79de0a1216aaa7bed36fb7343c1392aa1d9b239d5c4e71e6fc356c538b40e0894f2604557274d7a13f223e41c4e2
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4456-115-0x0000000073820000-0x000000007384D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4444 wrote to memory of 4456 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4456 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4456 4444 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b6e8dc4fa45951c1aa14972bca5631c6eed944f9b7fe7e808a5329aeb12b3c5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b6e8dc4fa45951c1aa14972bca5631c6eed944f9b7fe7e808a5329aeb12b3c5.dll,#12⤵
- Checks whether UAC is enabled