Analysis
-
max time kernel
57s -
max time network
58s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:04
Static task
static1
General
-
Target
f26e908e50ba994d1368f0d9eecc0062d3e8f7333e07e435da956e865a79a07a.dll
-
Size
157KB
-
MD5
801a5302977668e4976a9daa77218178
-
SHA1
ede73c804c26a1d81388585339443a31b79dfdcb
-
SHA256
f26e908e50ba994d1368f0d9eecc0062d3e8f7333e07e435da956e865a79a07a
-
SHA512
1a5b746c8e7c6e0a544915d5d11cf12c190e54848466da2fe382487f33fa50456e0efa5714917401e2d404b1ed98af1472493301b7bbede615633ae8b305931d
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3928-115-0x0000000073F20000-0x0000000073F4D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4036 wrote to memory of 3928 4036 rundll32.exe rundll32.exe PID 4036 wrote to memory of 3928 4036 rundll32.exe rundll32.exe PID 4036 wrote to memory of 3928 4036 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f26e908e50ba994d1368f0d9eecc0062d3e8f7333e07e435da956e865a79a07a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f26e908e50ba994d1368f0d9eecc0062d3e8f7333e07e435da956e865a79a07a.dll,#12⤵
- Checks whether UAC is enabled