Analysis
-
max time kernel
26s -
max time network
78s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 12:27
Static task
static1
General
-
Target
dfcd3365677f45f744851d8d98de2800dac66a4de63cab0116006a2ceee7ad16.dll
-
Size
158KB
-
MD5
b26385335a4fc0f3cccc8f926f688c15
-
SHA1
2580d64f815444e4e454e1f43b98dacf7dbd2f81
-
SHA256
dfcd3365677f45f744851d8d98de2800dac66a4de63cab0116006a2ceee7ad16
-
SHA512
38cec4d2dd9b47599e1ec7db22aa9da58207e4e06f48e10fcee024846bd193607e060580c58b2abe49cf06cbea1cd542e4cb257583ce4ccda6afaf8f3862e8da
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1172-115-0x00000000738F0000-0x000000007391D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 808 wrote to memory of 1172 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1172 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1172 808 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfcd3365677f45f744851d8d98de2800dac66a4de63cab0116006a2ceee7ad16.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfcd3365677f45f744851d8d98de2800dac66a4de63cab0116006a2ceee7ad16.dll,#12⤵
- Checks whether UAC is enabled