Analysis
-
max time kernel
25s -
max time network
78s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:20
Static task
static1
General
-
Target
c697e5acba37034014b4e8c19c121a8ad76ab6cb514e9c1b49b5011f759d725f.dll
-
Size
158KB
-
MD5
b02d12e05e4e3fbf3ebadd9b3e856169
-
SHA1
64040990b8b4b0204f4d3eda1cb10f2f0a6374a5
-
SHA256
c697e5acba37034014b4e8c19c121a8ad76ab6cb514e9c1b49b5011f759d725f
-
SHA512
0eb9852362319b961c955d3e01e3653aabc61ffa512cf1ec048dc52f6a6df37ae3f089a05e9cd5204b792fc3725219ec5d6d0e566d6a15de0203162c848795c6
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1220-115-0x00000000744D0000-0x00000000744FD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 620 wrote to memory of 1220 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 1220 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 1220 620 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c697e5acba37034014b4e8c19c121a8ad76ab6cb514e9c1b49b5011f759d725f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c697e5acba37034014b4e8c19c121a8ad76ab6cb514e9c1b49b5011f759d725f.dll,#12⤵
- Checks whether UAC is enabled
PID:1220