Analysis
-
max time kernel
115s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:44
Static task
static1
General
-
Target
fa648f3db912983df6697c24af5e0273195b7c35888be6cb4b82f128c72251d6.dll
-
Size
154KB
-
MD5
c283b405fcc1a21f18a2fb206a002bc3
-
SHA1
f3bbca5029122aa023ea507f13eefc8bf701e057
-
SHA256
fa648f3db912983df6697c24af5e0273195b7c35888be6cb4b82f128c72251d6
-
SHA512
b4e6b3cda39ddc0bbda4d09e3b15253c32a5949e5f73ef8efeab9e856e5d1cd8cf5db8edec500058478e6c99f1a5fb03872c08f0ac0e07c9d45f04057e4ce277
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4776-115-0x0000000073C30000-0x0000000073C5D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4656 wrote to memory of 4776 4656 rundll32.exe rundll32.exe PID 4656 wrote to memory of 4776 4656 rundll32.exe rundll32.exe PID 4656 wrote to memory of 4776 4656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa648f3db912983df6697c24af5e0273195b7c35888be6cb4b82f128c72251d6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa648f3db912983df6697c24af5e0273195b7c35888be6cb4b82f128c72251d6.dll,#12⤵
- Checks whether UAC is enabled