Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 16:21
Static task
static1
General
-
Target
f09bbc37000d311d2a08870194269df8bd69242f10b911227d7ffcd2b376d3d3.dll
-
Size
160KB
-
MD5
434896b96bcd0ff854702c71a7ac909f
-
SHA1
a7f929e14fc749c30fc8d6c554d72cdeb7a6575e
-
SHA256
f09bbc37000d311d2a08870194269df8bd69242f10b911227d7ffcd2b376d3d3
-
SHA512
e789d15d6e596f77bbbfdbeba39fb303f3d5b116b4b69d02a4eeaaeac3961a86319f20a8aaed9f33a7407cdffc801753e361cca062e8065e5e31091bfa2407fa
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1832-115-0x00000000735E0000-0x000000007360E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3624 wrote to memory of 1832 3624 rundll32.exe rundll32.exe PID 3624 wrote to memory of 1832 3624 rundll32.exe rundll32.exe PID 3624 wrote to memory of 1832 3624 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f09bbc37000d311d2a08870194269df8bd69242f10b911227d7ffcd2b376d3d3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f09bbc37000d311d2a08870194269df8bd69242f10b911227d7ffcd2b376d3d3.dll,#12⤵
- Checks whether UAC is enabled