Analysis
-
max time kernel
20s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 04:58
Static task
static1
General
-
Target
dc8f3a12af7b6521b853c1b26a4819c94fb6ca291684cf29db652e1517c0086c.dll
-
Size
158KB
-
MD5
e54e21cb9c5ec03f0b64453f9419ecf4
-
SHA1
fd6eb0a8b4c5e02c57678cd8892e047193b1f4a5
-
SHA256
dc8f3a12af7b6521b853c1b26a4819c94fb6ca291684cf29db652e1517c0086c
-
SHA512
9aff4a2864d5283da868c9da40264d0136800ef59b753f1dd4dc5f8a63eb67243b2aa727fce6ba8e7f5371d2d2c28ef0dfeadacc5b56b8602be440a6c1084d71
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3976-115-0x00000000742B0000-0x00000000742DD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3156 wrote to memory of 3976 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 3976 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 3976 3156 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc8f3a12af7b6521b853c1b26a4819c94fb6ca291684cf29db652e1517c0086c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc8f3a12af7b6521b853c1b26a4819c94fb6ca291684cf29db652e1517c0086c.dll,#12⤵
- Checks whether UAC is enabled