Analysis
-
max time kernel
20s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-06-2021 05:40
Static task
static1
General
-
Target
3ff8df8b19ea1f046c00a1fbdd890264e3ba61256f9384b8b0871620cbadc840.dll
-
Size
160KB
-
MD5
edf377af6fb23f7b29d741b9ae9abdae
-
SHA1
3ea89df4fa6534522e63a10ac868e418049a10e9
-
SHA256
3ff8df8b19ea1f046c00a1fbdd890264e3ba61256f9384b8b0871620cbadc840
-
SHA512
3c6a69f6748a7666fb086ad2140fc01753873ae02deaf8863eafba809ab6ea54d34df3cb53accc1ba189021cffedd6f7c425fb57f3558d56fe0747dc0e0180db
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3516-115-0x0000000073EE0000-0x0000000073F0E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4060 wrote to memory of 3516 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 3516 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 3516 4060 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3ff8df8b19ea1f046c00a1fbdd890264e3ba61256f9384b8b0871620cbadc840.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3ff8df8b19ea1f046c00a1fbdd890264e3ba61256f9384b8b0871620cbadc840.dll,#12⤵
- Checks whether UAC is enabled
PID:3516