Analysis
-
max time kernel
18s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 05:49
Static task
static1
General
-
Target
7dc49d94f3243d9793f097a5d2bce6a515d6b0eac6a86f55f1c25ceaeece9662.dll
-
Size
160KB
-
MD5
53638e57ffd76c1127c23fdaee489b6e
-
SHA1
57e77f19fa3bd07b2dd38166d118b2528926c14a
-
SHA256
7dc49d94f3243d9793f097a5d2bce6a515d6b0eac6a86f55f1c25ceaeece9662
-
SHA512
65b68b3515eee8b4a3135ccfc8d071c4e4e271e35b6011b35d0b293cd2f5e4883d66668dd8fea57a7853774e80b92647fd984409bba521f71d248ec3e51c3922
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3720-115-0x00000000739D0000-0x00000000739FE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1736 wrote to memory of 3720 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 3720 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 3720 1736 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7dc49d94f3243d9793f097a5d2bce6a515d6b0eac6a86f55f1c25ceaeece9662.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7dc49d94f3243d9793f097a5d2bce6a515d6b0eac6a86f55f1c25ceaeece9662.dll,#12⤵
- Checks whether UAC is enabled
PID:3720