Analysis
-
max time kernel
20s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 11:25
Static task
static1
General
-
Target
2c4662fa005fb8c91f381de3388070061ecea58ce599be8d9bf57e14e9696224.dll
-
Size
160KB
-
MD5
41e08ab1f0adac606eb4b0cf95c3eafc
-
SHA1
a3711368264bf0c25e2895d84845bed67d402bd7
-
SHA256
2c4662fa005fb8c91f381de3388070061ecea58ce599be8d9bf57e14e9696224
-
SHA512
0470cac8fb5d1357a9e3a60237a046fe88226580daee48538c2f0c17bf4f245635b2994901e975940c13f04b5a0eab4e87a3ebd8c17f1e45a38f1be393c3d713
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3092-115-0x00000000742E0000-0x000000007430E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3416 wrote to memory of 3092 3416 rundll32.exe rundll32.exe PID 3416 wrote to memory of 3092 3416 rundll32.exe rundll32.exe PID 3416 wrote to memory of 3092 3416 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c4662fa005fb8c91f381de3388070061ecea58ce599be8d9bf57e14e9696224.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c4662fa005fb8c91f381de3388070061ecea58ce599be8d9bf57e14e9696224.dll,#12⤵
- Checks whether UAC is enabled