Analysis
-
max time kernel
27s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 08:01
Static task
static1
General
-
Target
dba44d4541dfc56d5bae19ddc2e987f9e9863cde5779a3c0b98401926f3fedd2.dll
-
Size
158KB
-
MD5
0a716459cf2bbe469b9d632ace0c21fb
-
SHA1
4c65b2485c25d4fc2ec1a769ef054f3e7311b7b1
-
SHA256
dba44d4541dfc56d5bae19ddc2e987f9e9863cde5779a3c0b98401926f3fedd2
-
SHA512
838c24d9f21f5405728c83b0d1d40a7a1567c931c3178ecfb210008b0d99cbcaa4dcb9cd62aabea019f01e73309cd2cdc3db9791fa4c20c63a6ac3d260677385
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3236-115-0x0000000073F20000-0x0000000073F4D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3728 wrote to memory of 3236 3728 rundll32.exe rundll32.exe PID 3728 wrote to memory of 3236 3728 rundll32.exe rundll32.exe PID 3728 wrote to memory of 3236 3728 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dba44d4541dfc56d5bae19ddc2e987f9e9863cde5779a3c0b98401926f3fedd2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dba44d4541dfc56d5bae19ddc2e987f9e9863cde5779a3c0b98401926f3fedd2.dll,#12⤵
- Checks whether UAC is enabled