Analysis
-
max time kernel
28s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-06-2021 01:33
Static task
static1
General
-
Target
1cec45860c20bb6c4ca07fb15d25b3b221c0384c625eb58dd2cfb20f2d5e5b39.dll
-
Size
160KB
-
MD5
1b1f29c58483363fd1f363a060017bf8
-
SHA1
0b0ddc5f90d9b38e0b0284240921c975c8740b32
-
SHA256
1cec45860c20bb6c4ca07fb15d25b3b221c0384c625eb58dd2cfb20f2d5e5b39
-
SHA512
6ddfcc81abaa6ac9742653351fb107996edfd32609e4dd2ef5f4382d834ee52e761a947dd897f4f57cfcbc19dae8ab3a7eb63d9da8e1444e89976ccbae2a7a5e
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/868-115-0x00000000735F0000-0x000000007361E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 528 wrote to memory of 868 528 rundll32.exe rundll32.exe PID 528 wrote to memory of 868 528 rundll32.exe rundll32.exe PID 528 wrote to memory of 868 528 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1cec45860c20bb6c4ca07fb15d25b3b221c0384c625eb58dd2cfb20f2d5e5b39.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1cec45860c20bb6c4ca07fb15d25b3b221c0384c625eb58dd2cfb20f2d5e5b39.dll,#12⤵
- Checks whether UAC is enabled