Analysis
-
max time kernel
21s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 00:31
Static task
static1
General
-
Target
27d001558ba3549fe1cc3f61652426d06bd0317ebdf50d54a6e1ea68eb5253d2.dll
-
Size
158KB
-
MD5
ae5e800d06eca4c888b9e8997f232ad0
-
SHA1
9fc9eee0165b421ee2ff2c5cdbb0a3d9211eae71
-
SHA256
27d001558ba3549fe1cc3f61652426d06bd0317ebdf50d54a6e1ea68eb5253d2
-
SHA512
4d44da837ec179c804ad5d7b2f1aee8fb4f530c1ca1ee7c56f6bf15dfb18f327eeb1db9ae47f46b1f0b6cccb88ee4cafa3afd8d2808aaf868c3b8cd787a98fdb
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/988-115-0x0000000073E80000-0x0000000073EAD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1852 wrote to memory of 988 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 988 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 988 1852 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27d001558ba3549fe1cc3f61652426d06bd0317ebdf50d54a6e1ea68eb5253d2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27d001558ba3549fe1cc3f61652426d06bd0317ebdf50d54a6e1ea68eb5253d2.dll,#12⤵
- Checks whether UAC is enabled