Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:44
Static task
static1
General
-
Target
ae1b0338a96f1cfea9c89375a7f30fbe7c185e909ead28326fb3330593466cbd.dll
-
Size
154KB
-
MD5
dee7a47c887210b450ad00fc12b217d8
-
SHA1
0d887dca544bbad9b72724a17463ac6e2000e2db
-
SHA256
ae1b0338a96f1cfea9c89375a7f30fbe7c185e909ead28326fb3330593466cbd
-
SHA512
42bb0dc22754c3ec064963bb557521c267c9d6061dc145ec9c02ef31359e35aeb98dde7f0fe7423e87c5d692c06005cabada631777956ee880b36cc58e89eca3
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-115-0x0000000073D90000-0x0000000073DBD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 992 wrote to memory of 1212 992 rundll32.exe rundll32.exe PID 992 wrote to memory of 1212 992 rundll32.exe rundll32.exe PID 992 wrote to memory of 1212 992 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae1b0338a96f1cfea9c89375a7f30fbe7c185e909ead28326fb3330593466cbd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae1b0338a96f1cfea9c89375a7f30fbe7c185e909ead28326fb3330593466cbd.dll,#12⤵
- Checks whether UAC is enabled
PID:1212