Analysis
-
max time kernel
26s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 21:14
Static task
static1
General
-
Target
787b1b7627db90919767db72f25dc983d5e7ab74f3910b0e0692eb337808ef5b.dll
-
Size
158KB
-
MD5
8827985946c478d442536e7501fc8ec6
-
SHA1
fdac9fd1bb407ff3024475d4fa9b8b3de4fe2e1d
-
SHA256
787b1b7627db90919767db72f25dc983d5e7ab74f3910b0e0692eb337808ef5b
-
SHA512
41141c4949907f92c1e1f89a2243507eff2a53b8da00478b9b40ea8c2bd9fbc9406dba62475708f2747bd9e243da671bf4a93b693059cb9966e14864e7d186e8
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1884-115-0x0000000073530000-0x000000007355D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3628 wrote to memory of 1884 3628 rundll32.exe rundll32.exe PID 3628 wrote to memory of 1884 3628 rundll32.exe rundll32.exe PID 3628 wrote to memory of 1884 3628 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\787b1b7627db90919767db72f25dc983d5e7ab74f3910b0e0692eb337808ef5b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\787b1b7627db90919767db72f25dc983d5e7ab74f3910b0e0692eb337808ef5b.dll,#12⤵
- Checks whether UAC is enabled