Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 14:27
Static task
static1
General
-
Target
49714c98cadf66b6f1b87a4d3813c213a0b67a674221961e4f238d8aff793160.dll
-
Size
158KB
-
MD5
d9f79e733e2ad1b0486b48021fddf178
-
SHA1
234c82fee8bceb98dc437af91004e02e3aed86f4
-
SHA256
49714c98cadf66b6f1b87a4d3813c213a0b67a674221961e4f238d8aff793160
-
SHA512
ad6ffc40b2e659aa61c15d10bcb6fd8d0f1e8ae7557653bd96c632a2138694cd16e854fdcbc0830f55b80f4110bce4c8c8ef0486ecf3fcdbabe06aaab4c7400d
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4068-115-0x00000000755E0000-0x000000007560D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3968 wrote to memory of 4068 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 4068 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 4068 3968 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\49714c98cadf66b6f1b87a4d3813c213a0b67a674221961e4f238d8aff793160.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\49714c98cadf66b6f1b87a4d3813c213a0b67a674221961e4f238d8aff793160.dll,#12⤵
- Checks whether UAC is enabled