Analysis
-
max time kernel
26s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-06-2021 22:55
Static task
static1
General
-
Target
690f3ed8b746c0e8d41374997edd1a3594d10e68913270c25b046493cb07fc8e.dll
-
Size
160KB
-
MD5
ad682140e2ebcc6228a63273ee3b2b3e
-
SHA1
efa1754230fcb440f422d03b9d94fbca7f775d2f
-
SHA256
690f3ed8b746c0e8d41374997edd1a3594d10e68913270c25b046493cb07fc8e
-
SHA512
333ca09386739604122de6bd3a28a2fe54c1704a81938f4fa8c0476f581f34df9eb49c004f46f7e4c78f91f816bcfb31879af29523628dac50f34c81420fe0f6
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/792-115-0x0000000073ED0000-0x0000000073EFE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 900 wrote to memory of 792 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 792 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 792 900 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\690f3ed8b746c0e8d41374997edd1a3594d10e68913270c25b046493cb07fc8e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\690f3ed8b746c0e8d41374997edd1a3594d10e68913270c25b046493cb07fc8e.dll,#12⤵
- Checks whether UAC is enabled