Analysis
-
max time kernel
19s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:45
Static task
static1
General
-
Target
ce4ac994138f55c91628f2dfb8a48bd52ff5a9a0fc87d0cc0d17c5693ccf6674.dll
-
Size
158KB
-
MD5
2d59dcd9bed1301a988ea2240e794ac2
-
SHA1
ebf4be9603a5f908d8f2cf5ce3a15c54d1900f6b
-
SHA256
ce4ac994138f55c91628f2dfb8a48bd52ff5a9a0fc87d0cc0d17c5693ccf6674
-
SHA512
89da8e89a8972bee610088eafe0e8fa47ad028838ea6b7aea988a4089e9bbd5fa008454aeafcd05b6a2edbd57dcf52b5cc195867d53d0520ccbab2a66cb0a0f3
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3636-115-0x0000000074300000-0x000000007432D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 744 wrote to memory of 3636 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 3636 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 3636 744 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce4ac994138f55c91628f2dfb8a48bd52ff5a9a0fc87d0cc0d17c5693ccf6674.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce4ac994138f55c91628f2dfb8a48bd52ff5a9a0fc87d0cc0d17c5693ccf6674.dll,#12⤵
- Checks whether UAC is enabled