Analysis
-
max time kernel
18s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 08:24
Static task
static1
General
-
Target
719bc750f7759d5df6ac8dd8e8a9e92bf268e8d9dcc4e51fe185d9a4a0ccb1cd.dll
-
Size
158KB
-
MD5
b7d7c1269f0ad1c36e627fb6ce43b8f6
-
SHA1
a0d16b0f1845a7935c0e8f5e304727954cdee837
-
SHA256
719bc750f7759d5df6ac8dd8e8a9e92bf268e8d9dcc4e51fe185d9a4a0ccb1cd
-
SHA512
314d6a8a510c0d3762218e4007783ce92377e1cff38f8fa91424fc38410a2f4672ad76e0962628be0335bad2375d9c6968ca9bf7700bd9618a6775e3c93fc1ce
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3936-115-0x00000000755E0000-0x000000007560D000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4048 wrote to memory of 3936 4048 rundll32.exe 65 PID 4048 wrote to memory of 3936 4048 rundll32.exe 65 PID 4048 wrote to memory of 3936 4048 rundll32.exe 65
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\719bc750f7759d5df6ac8dd8e8a9e92bf268e8d9dcc4e51fe185d9a4a0ccb1cd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\719bc750f7759d5df6ac8dd8e8a9e92bf268e8d9dcc4e51fe185d9a4a0ccb1cd.dll,#12⤵
- Checks whether UAC is enabled
PID:3936
-