Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-06-2021 04:47
Static task
static1
General
-
Target
5333c0997f9f8905e66efc815d36b587dcbcb1b728486d2918266ba3c77a7c5d.dll
-
Size
160KB
-
MD5
be2418a2db5c61e33ab4cf1dc7fd2fbf
-
SHA1
0108e9d799a8c71c1e196ee65ba8e4d852701dcd
-
SHA256
5333c0997f9f8905e66efc815d36b587dcbcb1b728486d2918266ba3c77a7c5d
-
SHA512
daa8441ee50d1061de754f3e025d1cddf1fc07b45ea39520d609eab94b86ef831adc8a75a461bb9eae4420f3ff4e19902805f1be849159a30fc7ff8acc92254b
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3152-115-0x00000000736B0000-0x00000000736DE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2752 wrote to memory of 3152 2752 rundll32.exe rundll32.exe PID 2752 wrote to memory of 3152 2752 rundll32.exe rundll32.exe PID 2752 wrote to memory of 3152 2752 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5333c0997f9f8905e66efc815d36b587dcbcb1b728486d2918266ba3c77a7c5d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5333c0997f9f8905e66efc815d36b587dcbcb1b728486d2918266ba3c77a7c5d.dll,#12⤵
- Checks whether UAC is enabled
PID:3152