Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 07:35
Static task
static1
General
-
Target
254ae3c7d0ffae515fdce56b15042e443c414dcb2328688b22ce20043fb593d6.dll
-
Size
160KB
-
MD5
aa4a55788020cb0df3153194d45bcb91
-
SHA1
86854274da3ba0f6549d07f5713dcdf09b24a7d1
-
SHA256
254ae3c7d0ffae515fdce56b15042e443c414dcb2328688b22ce20043fb593d6
-
SHA512
5517f8849d6bb2c0c965c39f2dc6a858b773a97302bf8ada35207fcfb6fd85660456bbd74f5cc1c825eb2e33667b2b89cd08a521fa69a98182ac197f45a46edd
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2336-115-0x0000000073890000-0x00000000738BE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3008 wrote to memory of 2336 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2336 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2336 3008 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\254ae3c7d0ffae515fdce56b15042e443c414dcb2328688b22ce20043fb593d6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\254ae3c7d0ffae515fdce56b15042e443c414dcb2328688b22ce20043fb593d6.dll,#12⤵
- Checks whether UAC is enabled