Analysis
-
max time kernel
18s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 11:46
Static task
static1
General
-
Target
cf770573735257b526e4322a029d7effffb903a9c99dd4f20cce3fe0fc50fc0c.dll
-
Size
160KB
-
MD5
2d0a05dc463804903c862bf40f12127f
-
SHA1
2b5cc3f994517da9b65bb1520a2d03983739a8cb
-
SHA256
cf770573735257b526e4322a029d7effffb903a9c99dd4f20cce3fe0fc50fc0c
-
SHA512
001b17954cb3a49d55b987eb95cafe4bba8ea9a401f2d43701f783b870d8d36220502abff1a4cf52163d9a554843920701292748f1e4478cadfa7b37194e3fb6
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3180-115-0x00000000736B0000-0x00000000736DE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2256 wrote to memory of 3180 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 3180 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 3180 2256 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf770573735257b526e4322a029d7effffb903a9c99dd4f20cce3fe0fc50fc0c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf770573735257b526e4322a029d7effffb903a9c99dd4f20cce3fe0fc50fc0c.dll,#12⤵
- Checks whether UAC is enabled