Analysis
-
max time kernel
24s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 20:43
Static task
static1
General
-
Target
adc007b40b559d6c8ad7f7758bf982e43ca941bd108997fe574ffaabb7505d5c.dll
-
Size
160KB
-
MD5
33e2849581d41ff00b8a5fbe14034d3f
-
SHA1
84fed43ffaae3e11cc37bfac5b7bb5f182a980d1
-
SHA256
adc007b40b559d6c8ad7f7758bf982e43ca941bd108997fe574ffaabb7505d5c
-
SHA512
99f34ddec688245f02ae67803b941494fcc9fe768aef7abbbaef3d97eec06704881646cd4f9e8b2b5dd1d93d1178519a2cf0fdd0ea91a68a9a168314765c5be0
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1424-115-0x0000000073F10000-0x0000000073F3E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 364 wrote to memory of 1424 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1424 364 rundll32.exe rundll32.exe PID 364 wrote to memory of 1424 364 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adc007b40b559d6c8ad7f7758bf982e43ca941bd108997fe574ffaabb7505d5c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adc007b40b559d6c8ad7f7758bf982e43ca941bd108997fe574ffaabb7505d5c.dll,#12⤵
- Checks whether UAC is enabled