Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 15:14
Static task
static1
General
-
Target
c18a54a0c24a59d274eeadbcc603887d9e0051434547c3170bee3348ec57b9bb.dll
-
Size
160KB
-
MD5
02c61598b11d6245cd70fa4ab8661f3d
-
SHA1
31eb56a63e6508dff2dd5aab550f18a5d845fd2e
-
SHA256
c18a54a0c24a59d274eeadbcc603887d9e0051434547c3170bee3348ec57b9bb
-
SHA512
34282e37a6e16b584406f9abec43a6c37bcfcaa6706f35148ddc3c2b1706485bf18b47837d40b541b8b4e822a12cbea71f4e20a245879ccb2581c24368c2b7e3
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1140-115-0x0000000073E80000-0x0000000073EAE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2576 wrote to memory of 1140 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 1140 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 1140 2576 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c18a54a0c24a59d274eeadbcc603887d9e0051434547c3170bee3348ec57b9bb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c18a54a0c24a59d274eeadbcc603887d9e0051434547c3170bee3348ec57b9bb.dll,#12⤵
- Checks whether UAC is enabled