Analysis
-
max time kernel
20s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-06-2021 19:21
Static task
static1
General
-
Target
6141bd51965b81bebe5b5956491e2b6ce172f310344da6ded8a7020559555ecd.dll
-
Size
160KB
-
MD5
11732cd34a6b71bdfecc26576f7b1b34
-
SHA1
3391cb9e5364a54a752d10560d075f348c572337
-
SHA256
6141bd51965b81bebe5b5956491e2b6ce172f310344da6ded8a7020559555ecd
-
SHA512
6e21ff0f96d995fa59edc2f360fea7d3b89c624677dcb9accb2a8f97903eff6317c9f1b786f77129c283ae30fe95cb6ec97478a9d1048deaa0ee2c5452c980d3
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4024-115-0x00000000741E0000-0x000000007420E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1016 wrote to memory of 4024 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 4024 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 4024 1016 rundll32.exe rundll32.exe
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6141bd51965b81bebe5b5956491e2b6ce172f310344da6ded8a7020559555ecd.dll,#11⤵
- Checks whether UAC is enabled
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6141bd51965b81bebe5b5956491e2b6ce172f310344da6ded8a7020559555ecd.dll,#11⤵
- Suspicious use of WriteProcessMemory