Analysis
-
max time kernel
19s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 21:17
Static task
static1
General
-
Target
8f81f6f9c4fc4e0115d8520d6ac9ae8fd6898f13b42fd4574ba9e17b5a4296a2.dll
-
Size
160KB
-
MD5
6ad710e7cdc72cb06aa5bed3fe9517b6
-
SHA1
0338a063860e6ab7b8476667090511b3654b70de
-
SHA256
8f81f6f9c4fc4e0115d8520d6ac9ae8fd6898f13b42fd4574ba9e17b5a4296a2
-
SHA512
835fe13a9bd0d0c483bbccaf1e85def388abac761e683e1d1f41511f13d6130f4276a0ad4a310e73c72c727d62a39ef854d2e3f181528665341310ea1f94b1fa
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1856-115-0x0000000074420000-0x000000007444E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2388 wrote to memory of 1856 2388 rundll32.exe rundll32.exe PID 2388 wrote to memory of 1856 2388 rundll32.exe rundll32.exe PID 2388 wrote to memory of 1856 2388 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f81f6f9c4fc4e0115d8520d6ac9ae8fd6898f13b42fd4574ba9e17b5a4296a2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f81f6f9c4fc4e0115d8520d6ac9ae8fd6898f13b42fd4574ba9e17b5a4296a2.dll,#12⤵
- Checks whether UAC is enabled
PID:1856