Analysis
-
max time kernel
26s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-06-2021 07:09
Static task
static1
General
-
Target
86dace727cc6ac317e4f4895a2c61270e4e7413e3056a26b305a710d2cde0424.dll
-
Size
160KB
-
MD5
48dce7362a8acb5bd7e9a5022212277c
-
SHA1
847bdf7b9d7b2b3db5ba4b9ea5e1e6ae4b9ad0be
-
SHA256
86dace727cc6ac317e4f4895a2c61270e4e7413e3056a26b305a710d2cde0424
-
SHA512
5467711501a8630bbb47782469c45d3470f6f572bda9692277eaed8aeb9a1776faf1c1d4fabb1ec235d0bf80ff6174955554067c24e72b0a74a222b2bd19d267
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4044-115-0x0000000073620000-0x000000007364E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 504 wrote to memory of 4044 504 rundll32.exe rundll32.exe PID 504 wrote to memory of 4044 504 rundll32.exe rundll32.exe PID 504 wrote to memory of 4044 504 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86dace727cc6ac317e4f4895a2c61270e4e7413e3056a26b305a710d2cde0424.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86dace727cc6ac317e4f4895a2c61270e4e7413e3056a26b305a710d2cde0424.dll,#12⤵
- Checks whether UAC is enabled
PID:4044