Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 23:37
Static task
static1
General
-
Target
854500bd0550df072b93acd352216ac303a63f612761e538e52c5f198bd19775.dll
-
Size
158KB
-
MD5
55591060ad17b484f79b89d494e97035
-
SHA1
4f890ce8d421a483b9d2ef5d1854b1c1d1046400
-
SHA256
854500bd0550df072b93acd352216ac303a63f612761e538e52c5f198bd19775
-
SHA512
06006d5430e0c16b667989eec5dd2d82f44fee05c2a390c3291e1e7a1ee1be48383ab53f5415c054d8b526902dd1b461f8fbe508a53aad8ca04b8fc642bf6dfd
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3772-115-0x00000000739D0000-0x00000000739FD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3908 wrote to memory of 3772 3908 rundll32.exe rundll32.exe PID 3908 wrote to memory of 3772 3908 rundll32.exe rundll32.exe PID 3908 wrote to memory of 3772 3908 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\854500bd0550df072b93acd352216ac303a63f612761e538e52c5f198bd19775.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\854500bd0550df072b93acd352216ac303a63f612761e538e52c5f198bd19775.dll,#12⤵
- Checks whether UAC is enabled
PID:3772