Analysis
-
max time kernel
18s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 03:18
Static task
static1
General
-
Target
5067cdba0012e52d28ca876defcc883e9869fe084ca5f8d5e8095a63f88dc88f.dll
-
Size
158KB
-
MD5
4fd2c66999bcfbf4306abaf35bde39c6
-
SHA1
3d15ec5e7447d62f26c7f277775ae1e3f66f00d4
-
SHA256
5067cdba0012e52d28ca876defcc883e9869fe084ca5f8d5e8095a63f88dc88f
-
SHA512
82054de9b74713ff848040208e8404a687cab8a9f508f4ee84aeb58b4c96190f7c552430ad95462f2876af87e90b76cd764047c3fa2cd7cf62ad83451ef085d9
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3616-115-0x00000000739D0000-0x00000000739FD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3172 wrote to memory of 3616 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 3616 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 3616 3172 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5067cdba0012e52d28ca876defcc883e9869fe084ca5f8d5e8095a63f88dc88f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5067cdba0012e52d28ca876defcc883e9869fe084ca5f8d5e8095a63f88dc88f.dll,#12⤵
- Checks whether UAC is enabled