Analysis
-
max time kernel
25s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:32
Static task
static1
General
-
Target
1c389598a6bde56717c1dc59d291d540a69a172677feceedcd3df20704de1753.dll
-
Size
160KB
-
MD5
a2d737b57fabf16a6f3854253c6091b6
-
SHA1
10a53b36180899538056b2e6220ab7b38b2abb3f
-
SHA256
1c389598a6bde56717c1dc59d291d540a69a172677feceedcd3df20704de1753
-
SHA512
ad20d7e99b86c63101e228fca2138438e38a3ed302276ab7127a96411235e077530ccd505492162c9d8648a12369f8fb92a42470257f4466bf762d41f1bb037f
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1252-115-0x00000000735F0000-0x000000007361E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 596 wrote to memory of 1252 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1252 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1252 596 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1c389598a6bde56717c1dc59d291d540a69a172677feceedcd3df20704de1753.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1c389598a6bde56717c1dc59d291d540a69a172677feceedcd3df20704de1753.dll,#12⤵
- Checks whether UAC is enabled