Analysis
-
max time kernel
18s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 07:24
Static task
static1
General
-
Target
078123cb9d64ad3a741365fffbad9ed6dd16d5605fbe673bee4ca64af1127c56.dll
-
Size
158KB
-
MD5
c7ab3995901a7055ae2598e3862f8149
-
SHA1
20737f447f43eb1cd099391a64b0eb9cae7a6112
-
SHA256
078123cb9d64ad3a741365fffbad9ed6dd16d5605fbe673bee4ca64af1127c56
-
SHA512
2a67eb5d89cd9bd5ff3b4febe008e566ef11e8fc44e92d0736b66acc216d33c770443d854217525b33efdd4cb0418305400419484699a73288e7bb7159b6b2ce
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3192-115-0x0000000073E80000-0x0000000073EAD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2576 wrote to memory of 3192 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 3192 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 3192 2576 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\078123cb9d64ad3a741365fffbad9ed6dd16d5605fbe673bee4ca64af1127c56.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\078123cb9d64ad3a741365fffbad9ed6dd16d5605fbe673bee4ca64af1127c56.dll,#12⤵
- Checks whether UAC is enabled