Analysis
-
max time kernel
25s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 21:07
Static task
static1
General
-
Target
9e1ef3f25ffac3cd6c89fc737f30a6df2912e530844c79d1e266f732fffe1178.dll
-
Size
160KB
-
MD5
63a10c1ec48ddb9fc174829629e62ed3
-
SHA1
27a169d6dbc47c2acbf7d7abe82e164f69d5a872
-
SHA256
9e1ef3f25ffac3cd6c89fc737f30a6df2912e530844c79d1e266f732fffe1178
-
SHA512
628959c32ac2ce2e695a921225ce7f96e7c129d372f388292ecffa2862f0e6b7a8a81971fbb63a8415fce79e04fdce8b7e01dab0d316adbf7942b82a6300db62
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1028-115-0x00000000735F0000-0x000000007361E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 528 wrote to memory of 1028 528 rundll32.exe rundll32.exe PID 528 wrote to memory of 1028 528 rundll32.exe rundll32.exe PID 528 wrote to memory of 1028 528 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e1ef3f25ffac3cd6c89fc737f30a6df2912e530844c79d1e266f732fffe1178.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e1ef3f25ffac3cd6c89fc737f30a6df2912e530844c79d1e266f732fffe1178.dll,#12⤵
- Checks whether UAC is enabled