Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-06-2021 11:26
Static task
static1
General
-
Target
c4645a7d4b1c9ad1e362468cdfb9ec688278f72bafa0b8be22d5cafb20f0aa76.dll
-
Size
160KB
-
MD5
8e60f170f1d6f8d0d2e4fffbf8e788d9
-
SHA1
0d2c4015ccd28668896fbb4f6bc3d9fa65015356
-
SHA256
c4645a7d4b1c9ad1e362468cdfb9ec688278f72bafa0b8be22d5cafb20f0aa76
-
SHA512
0de1b2f6cd89bddd34812bd6ec26323b86aee8413abf5d292561c7f127e0c310164c9177008d6672ffbeeec850150ccd824ed25b4ef8a850501ef9611e331899
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4024-115-0x0000000073A70000-0x0000000073A9E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1868 wrote to memory of 4024 1868 rundll32.exe rundll32.exe PID 1868 wrote to memory of 4024 1868 rundll32.exe rundll32.exe PID 1868 wrote to memory of 4024 1868 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c4645a7d4b1c9ad1e362468cdfb9ec688278f72bafa0b8be22d5cafb20f0aa76.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c4645a7d4b1c9ad1e362468cdfb9ec688278f72bafa0b8be22d5cafb20f0aa76.dll,#12⤵
- Checks whether UAC is enabled
PID:4024