Analysis
-
max time kernel
108s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:10
Static task
static1
General
-
Target
081bd1057fccf92a3a27ba53c77a7d35d58fdb8abf56317dbb89041a65df0b86.dll
-
Size
154KB
-
MD5
2f57bc296ceed7af0fd12e4203c89ff0
-
SHA1
ee3a34eeddfe6a2af02d777a6cb70d6701de3c38
-
SHA256
081bd1057fccf92a3a27ba53c77a7d35d58fdb8abf56317dbb89041a65df0b86
-
SHA512
75afa3b8e65e42994e7c43c029fee5df21a6e81fb9005ae5bb1173d52d865b8877b189efd7d1ee5eb9d635f9a9c7190a43e2c3f3fc220b8d42e4ceec357d8f7b
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
159.8.59.82:443
51.91.156.39:2303
67.196.50.240:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/996-115-0x0000000074300000-0x000000007432D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 624 wrote to memory of 996 624 rundll32.exe rundll32.exe PID 624 wrote to memory of 996 624 rundll32.exe rundll32.exe PID 624 wrote to memory of 996 624 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\081bd1057fccf92a3a27ba53c77a7d35d58fdb8abf56317dbb89041a65df0b86.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\081bd1057fccf92a3a27ba53c77a7d35d58fdb8abf56317dbb89041a65df0b86.dll,#12⤵
- Checks whether UAC is enabled
PID:996