Analysis
-
max time kernel
19s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 08:23
Static task
static1
General
-
Target
714a36b3b7235c53b5f89d45b8498ac2ec63a3c3c348331779a9ebe1ec3dffd6.dll
-
Size
160KB
-
MD5
ac6d4abb7aa4c0ddb5592780b8ed25c8
-
SHA1
50a0206d97c9a0c859220c1978627e2324284d35
-
SHA256
714a36b3b7235c53b5f89d45b8498ac2ec63a3c3c348331779a9ebe1ec3dffd6
-
SHA512
de94371fb953df103191af5adcbf0e5624ffcc0e0110ec8792acdaa22cb68c841aab0b688da3045e773e84fe71943c5ce841f094f55caa0d1415d1ca3580eda2
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/796-115-0x00000000742B0000-0x00000000742DE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3424 wrote to memory of 796 3424 rundll32.exe rundll32.exe PID 3424 wrote to memory of 796 3424 rundll32.exe rundll32.exe PID 3424 wrote to memory of 796 3424 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\714a36b3b7235c53b5f89d45b8498ac2ec63a3c3c348331779a9ebe1ec3dffd6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\714a36b3b7235c53b5f89d45b8498ac2ec63a3c3c348331779a9ebe1ec3dffd6.dll,#12⤵
- Checks whether UAC is enabled