Analysis
-
max time kernel
27s -
max time network
91s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-06-2021 10:26
Static task
static1
General
-
Target
c1c846b65c2ce4ce1e79e59ff0cac5680d7bd160818f9bf3519b8e25508266da.dll
-
Size
158KB
-
MD5
9403ff325a6de94fd8b34a559d59302f
-
SHA1
d982347e62725872a45cd5e422ad262b3d31fbbd
-
SHA256
c1c846b65c2ce4ce1e79e59ff0cac5680d7bd160818f9bf3519b8e25508266da
-
SHA512
db93a19804773b9e118d523a0e2440a8e1553137c35ac1219be99cdaf68ab6ab4d20a7c965937bcdbf6c97d9c7cc24a1884872481c3258b0461189e161f144f6
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/296-115-0x0000000074450000-0x000000007447D000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 644 wrote to memory of 296 644 rundll32.exe 69 PID 644 wrote to memory of 296 644 rundll32.exe 69 PID 644 wrote to memory of 296 644 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c1c846b65c2ce4ce1e79e59ff0cac5680d7bd160818f9bf3519b8e25508266da.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c1c846b65c2ce4ce1e79e59ff0cac5680d7bd160818f9bf3519b8e25508266da.dll,#12⤵
- Checks whether UAC is enabled
PID:296
-