Analysis
-
max time kernel
22s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 14:43
Static task
static1
General
-
Target
2d54b5042d9f65b8ab3ce354bf059473160818ec3c8db49c64e8f379baa9d733.dll
-
Size
158KB
-
MD5
866a8a1471538fe90d9506f39dca7356
-
SHA1
bc41f55b8dddb31497c7f9ed34bfb2d7c51cf640
-
SHA256
2d54b5042d9f65b8ab3ce354bf059473160818ec3c8db49c64e8f379baa9d733
-
SHA512
6ec11ed7aa7c0b8a8c9f21c730242a2109563e3a0975413f1cec1892f7c56eb6c5a7f3bc9a73950f18d08d44b96d5b2af66e7872bc0721827ac6a33e2e30375b
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3852-115-0x0000000073DE0000-0x0000000073E0D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3944 wrote to memory of 3852 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 3852 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 3852 3944 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2d54b5042d9f65b8ab3ce354bf059473160818ec3c8db49c64e8f379baa9d733.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2d54b5042d9f65b8ab3ce354bf059473160818ec3c8db49c64e8f379baa9d733.dll,#12⤵
- Checks whether UAC is enabled