Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 12:27
Static task
static1
General
-
Target
313c9e8adab3315a17a39152e174b0dca3a1787d2204e627142973719bb595ae.dll
-
Size
160KB
-
MD5
69da4edb7b4971ae34c56f52c9d49e67
-
SHA1
b46b8af7035a0a397a62d2038a330a0ce40b256e
-
SHA256
313c9e8adab3315a17a39152e174b0dca3a1787d2204e627142973719bb595ae
-
SHA512
092ea1df3b12d71916522892fd4e1c8e269babbd350cb586f62d10a4325f9760fee90823a374592d6985e5697e694bd7d686ff8e9c242c3eb6dc3793b5d852c4
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/488-115-0x00000000742B0000-0x00000000742DE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3156 wrote to memory of 488 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 488 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 488 3156 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\313c9e8adab3315a17a39152e174b0dca3a1787d2204e627142973719bb595ae.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\313c9e8adab3315a17a39152e174b0dca3a1787d2204e627142973719bb595ae.dll,#12⤵
- Checks whether UAC is enabled