Analysis
-
max time kernel
25s -
max time network
72s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 23:47
Static task
static1
General
-
Target
e6ae317c3a044f8649226f27358b30a1865c3a0e06abf786bba0d385ccab042f.dll
-
Size
160KB
-
MD5
a70cd00a56d2711bea2d03b829df3aa3
-
SHA1
c9dc4c97cbbd2bcc06c34dbf22f46b238f898abd
-
SHA256
e6ae317c3a044f8649226f27358b30a1865c3a0e06abf786bba0d385ccab042f
-
SHA512
cd199483f4941d396364da9918be1d94f598e034515acbb25680c88c57149aa5d70b72481731153701937b57ce401ffa00f0d25476ed3445108b993dd40ed25f
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/492-115-0x0000000074350000-0x000000007437E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 652 wrote to memory of 492 652 rundll32.exe rundll32.exe PID 652 wrote to memory of 492 652 rundll32.exe rundll32.exe PID 652 wrote to memory of 492 652 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6ae317c3a044f8649226f27358b30a1865c3a0e06abf786bba0d385ccab042f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6ae317c3a044f8649226f27358b30a1865c3a0e06abf786bba0d385ccab042f.dll,#12⤵
- Checks whether UAC is enabled