Analysis
-
max time kernel
19s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 15:49
Static task
static1
General
-
Target
7e33d0ee0f81340cd8c39c7b1a655ba254fcf48f8cbf3535daa4e47aafd3f840.dll
-
Size
160KB
-
MD5
d41381b760b7fa7dc6537471a47711be
-
SHA1
be3565f4e4fab3549abfc99bd3c8745eb6552b42
-
SHA256
7e33d0ee0f81340cd8c39c7b1a655ba254fcf48f8cbf3535daa4e47aafd3f840
-
SHA512
66bb4c5b36d40e869225566d38e2f77f8be816049c81b491e1c134b3e3e2006f075d0b95533d4d9f3d62dff23137650f3a422e4fed029311761101dcb31d3253
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3164-115-0x00000000741E0000-0x000000007420E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1016 wrote to memory of 3164 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 3164 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 3164 1016 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e33d0ee0f81340cd8c39c7b1a655ba254fcf48f8cbf3535daa4e47aafd3f840.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e33d0ee0f81340cd8c39c7b1a655ba254fcf48f8cbf3535daa4e47aafd3f840.dll,#12⤵
- Checks whether UAC is enabled