Analysis
-
max time kernel
20s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 03:19
Static task
static1
General
-
Target
baad2f6ac4b8226c339435aa42ece6b297414b68c657b8f71f366046bedf2662.dll
-
Size
158KB
-
MD5
52c4373407854ddb3d6de395b8195a1f
-
SHA1
b33fcff936a43c5c974485bc9c948e3c1dc3a76c
-
SHA256
baad2f6ac4b8226c339435aa42ece6b297414b68c657b8f71f366046bedf2662
-
SHA512
93b8ee27400e47b34e89659ccb0a1ab247af5eb6d09117d9deb2d50415e297a04979e387575e2cc9ab43476a97f604c5441d83e29a8f28484e4712457670fddc
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4460-115-0x0000000073820000-0x000000007384D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4448 wrote to memory of 4460 4448 rundll32.exe rundll32.exe PID 4448 wrote to memory of 4460 4448 rundll32.exe rundll32.exe PID 4448 wrote to memory of 4460 4448 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\baad2f6ac4b8226c339435aa42ece6b297414b68c657b8f71f366046bedf2662.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\baad2f6ac4b8226c339435aa42ece6b297414b68c657b8f71f366046bedf2662.dll,#12⤵
- Checks whether UAC is enabled