Analysis
-
max time kernel
27s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 22:14
Static task
static1
General
-
Target
54f22717a3614c178d34ec8d90280dd376a344be68ec8d640a6e86fe2d12253d.dll
-
Size
158KB
-
MD5
a8a08232178dd5e65f9ca2295ce25e03
-
SHA1
75e397da31cc4b10b6a4dcd682bdf321a5df4381
-
SHA256
54f22717a3614c178d34ec8d90280dd376a344be68ec8d640a6e86fe2d12253d
-
SHA512
61d852f417ccf980684826d0dcdbaa74d3fe69f2568ad83c30c247f3a630f3567635c7b5ffd014b23a32733e233beffaa92b9b609b33fb89c1043d862bc966cb
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1164-115-0x0000000074450000-0x000000007447D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 644 wrote to memory of 1164 644 rundll32.exe rundll32.exe PID 644 wrote to memory of 1164 644 rundll32.exe rundll32.exe PID 644 wrote to memory of 1164 644 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54f22717a3614c178d34ec8d90280dd376a344be68ec8d640a6e86fe2d12253d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54f22717a3614c178d34ec8d90280dd376a344be68ec8d640a6e86fe2d12253d.dll,#12⤵
- Checks whether UAC is enabled