Analysis
-
max time kernel
20s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-06-2021 12:24
Static task
static1
General
-
Target
01d40601e5e2073b8f331180d87d92c42799b83d313328a834ce56ce75b9f33a.dll
-
Size
160KB
-
MD5
2abd833a787b4dec89dac989446102bb
-
SHA1
358e379c7b8059c29531c378074a6746e6936d9d
-
SHA256
01d40601e5e2073b8f331180d87d92c42799b83d313328a834ce56ce75b9f33a
-
SHA512
32661f1198ea0ff72b19fce9232fd1fb125bcb4be4f8344076544ce446856af99c9aaf1963b53771811ad4aec52e82613dc204c474b967b979bd798b89494cec
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3972-115-0x0000000073A70000-0x0000000073A9E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1868 wrote to memory of 3972 1868 rundll32.exe rundll32.exe PID 1868 wrote to memory of 3972 1868 rundll32.exe rundll32.exe PID 1868 wrote to memory of 3972 1868 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\01d40601e5e2073b8f331180d87d92c42799b83d313328a834ce56ce75b9f33a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\01d40601e5e2073b8f331180d87d92c42799b83d313328a834ce56ce75b9f33a.dll,#12⤵
- Checks whether UAC is enabled