Analysis
-
max time kernel
46s -
max time network
56s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 22:47
Static task
static1
General
-
Target
a6fd740b8b78cf105554ec11a13b731705f579ff55edbdf02a0a2f117bdcfa17.dll
-
Size
158KB
-
MD5
8732fcbfdadb9f2a5d95127a26306cb2
-
SHA1
fb1a3f015893a82eb296888c336c480ec411017b
-
SHA256
a6fd740b8b78cf105554ec11a13b731705f579ff55edbdf02a0a2f117bdcfa17
-
SHA512
4d783c764431d7efb182f018eb6471b418007a7ab2e919669bfce71609f08ed105bb2903405b580efb1c0845c67e59f15dcc96106e104fef1e1a24d8525ab678
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-115-0x0000000073FB0000-0x0000000073FDD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 640 wrote to memory of 1212 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 1212 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 1212 640 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6fd740b8b78cf105554ec11a13b731705f579ff55edbdf02a0a2f117bdcfa17.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6fd740b8b78cf105554ec11a13b731705f579ff55edbdf02a0a2f117bdcfa17.dll,#12⤵
- Checks whether UAC is enabled