Analysis
-
max time kernel
27s -
max time network
91s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 11:02
Static task
static1
General
-
Target
23388cb648359c5b733440277017d8e2dd31bb9bee9f9c71fa8b48e23d91e943.dll
-
Size
158KB
-
MD5
e61b29a7076cfd4fe7af6cf65ffc5781
-
SHA1
f4a91bf83a32a2090cc9453d577ea774fe604647
-
SHA256
23388cb648359c5b733440277017d8e2dd31bb9bee9f9c71fa8b48e23d91e943
-
SHA512
743deefdf83b3905339fabf8550dfcc8c60c30a7182883c5f08956deb1b93809581b18b2bd872ebc9772f5f3cefed3488833d92c3b922e3bc2c6c57f5f9d7d29
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1844-115-0x0000000073990000-0x00000000739BD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1400 wrote to memory of 1844 1400 rundll32.exe rundll32.exe PID 1400 wrote to memory of 1844 1400 rundll32.exe rundll32.exe PID 1400 wrote to memory of 1844 1400 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23388cb648359c5b733440277017d8e2dd31bb9bee9f9c71fa8b48e23d91e943.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23388cb648359c5b733440277017d8e2dd31bb9bee9f9c71fa8b48e23d91e943.dll,#12⤵
- Checks whether UAC is enabled