Analysis
-
max time kernel
25s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-06-2021 01:18
Static task
static1
General
-
Target
2639bb06d78c8682b2010957de9f14f3c343e54255ca2f30599651c2041abd1f.dll
-
Size
158KB
-
MD5
ad5cf7fa1bfcf6452f5ad9783f023354
-
SHA1
b681346fafec4177f69a0394beaeecc136970561
-
SHA256
2639bb06d78c8682b2010957de9f14f3c343e54255ca2f30599651c2041abd1f
-
SHA512
ca8ff199a17220955e77b86244e91ec61ee25c30d471a0ab3b268392ce5edbc69ffbe876f24b26eb5de9786174f38d0332ba4bb00925ae2b5b1d58aaec4bcdd8
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1332-115-0x0000000074450000-0x000000007447D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 648 wrote to memory of 1332 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 1332 648 rundll32.exe rundll32.exe PID 648 wrote to memory of 1332 648 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2639bb06d78c8682b2010957de9f14f3c343e54255ca2f30599651c2041abd1f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2639bb06d78c8682b2010957de9f14f3c343e54255ca2f30599651c2041abd1f.dll,#12⤵
- Checks whether UAC is enabled
PID:1332
-