Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 09:24
Static task
static1
General
-
Target
99b5a16fb10b5d12896c451b281494ebfdff853f954f07a13115f33a0b871008.dll
-
Size
158KB
-
MD5
e0f2e5b33210faf05ad0831f0d8cdeab
-
SHA1
3c742718d93a8349063f387023237182d8ed0ba2
-
SHA256
99b5a16fb10b5d12896c451b281494ebfdff853f954f07a13115f33a0b871008
-
SHA512
515495da690bd3dc69fa8f1ab320ba53e49f4829950b51876772e0a4b2ec37342a12c11533051735bf632df3df5d7581314f19238dba8b81558a693dd8bf7f8a
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/2760-115-0x0000000073860000-0x000000007388D000-memory.dmp dridex_ldr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2760 1968 rundll32.exe 44 PID 1968 wrote to memory of 2760 1968 rundll32.exe 44 PID 1968 wrote to memory of 2760 1968 rundll32.exe 44
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99b5a16fb10b5d12896c451b281494ebfdff853f954f07a13115f33a0b871008.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99b5a16fb10b5d12896c451b281494ebfdff853f954f07a13115f33a0b871008.dll,#12⤵
- Checks whether UAC is enabled
PID:2760
-