Analysis
-
max time kernel
38s -
max time network
46s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 22:24
Static task
static1
General
-
Target
cf4d235f5a071a98da44b0a1256f6bfd77fc06f240fbe7f8e3d49b5ef3de5fc8.dll
-
Size
158KB
-
MD5
efdaf166b391d9ffd7559180ce480df4
-
SHA1
f1318c4817b4409ae5ec1c61e0cc48ce1e9d0389
-
SHA256
cf4d235f5a071a98da44b0a1256f6bfd77fc06f240fbe7f8e3d49b5ef3de5fc8
-
SHA512
28a7b66f187ee49ac2766f12c50d49deb263bca8466bd43cbbaa57fb961a2b2c09415a268783327d2a87b17a2b72d5aeca67e906b79a8da06859f10155956fe8
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3480-115-0x0000000073660000-0x000000007368D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2232 wrote to memory of 3480 2232 rundll32.exe rundll32.exe PID 2232 wrote to memory of 3480 2232 rundll32.exe rundll32.exe PID 2232 wrote to memory of 3480 2232 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf4d235f5a071a98da44b0a1256f6bfd77fc06f240fbe7f8e3d49b5ef3de5fc8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf4d235f5a071a98da44b0a1256f6bfd77fc06f240fbe7f8e3d49b5ef3de5fc8.dll,#12⤵
- Checks whether UAC is enabled