Analysis
-
max time kernel
19s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-06-2021 05:51
Static task
static1
General
-
Target
49fdfc3aae8810053753e07d3862e747fe53b307ddbac2938c8fc0fe5dc9f296.dll
-
Size
160KB
-
MD5
d28905e6ab2f266deccdf88dbdd31eca
-
SHA1
b6a36dc2dca15a54c1fed912245753c3fe999b05
-
SHA256
49fdfc3aae8810053753e07d3862e747fe53b307ddbac2938c8fc0fe5dc9f296
-
SHA512
fc4c972564e1e597fd3d4151d6e7aaa5f8f70f2ad8a18d739ff381b98c0107fa90592f317d7b70c6e5e3b1ece445eb9bf6b111f83faf917f7f273138b081a527
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3780-115-0x0000000074480000-0x00000000744AE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4024 wrote to memory of 3780 4024 rundll32.exe rundll32.exe PID 4024 wrote to memory of 3780 4024 rundll32.exe rundll32.exe PID 4024 wrote to memory of 3780 4024 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\49fdfc3aae8810053753e07d3862e747fe53b307ddbac2938c8fc0fe5dc9f296.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\49fdfc3aae8810053753e07d3862e747fe53b307ddbac2938c8fc0fe5dc9f296.dll,#12⤵
- Checks whether UAC is enabled
PID:3780