Analysis
-
max time kernel
37s -
max time network
47s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 14:49
Static task
static1
General
-
Target
4c0ad7846b6327e680f4c4084eace169c52c701546f59ba428d1f1e01214540a.dll
-
Size
158KB
-
MD5
b1aa4a5139a25832d420db0e297b62b1
-
SHA1
c3e53995cfb1518b4460f13dcf0c269d95fd1bad
-
SHA256
4c0ad7846b6327e680f4c4084eace169c52c701546f59ba428d1f1e01214540a
-
SHA512
ba01784648e5cd52871501d6acd958c14c6df5c7d937afb45d1de44cf8356cd74eff27704100798347478040c255076e58cd50bed0cd386cdf09b1ebe1748230
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4480-115-0x0000000073820000-0x000000007384D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4444 wrote to memory of 4480 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4480 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4480 4444 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0ad7846b6327e680f4c4084eace169c52c701546f59ba428d1f1e01214540a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0ad7846b6327e680f4c4084eace169c52c701546f59ba428d1f1e01214540a.dll,#12⤵
- Checks whether UAC is enabled