Analysis
-
max time kernel
18s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-06-2021 21:46
Static task
static1
General
-
Target
dcbfee966da3941a49280b6acaf88bcd7ed43a08a754e866e4a34363525e7fc4.dll
-
Size
160KB
-
MD5
1395f65e83fe311075f2220686ea3c34
-
SHA1
49a4cc2b541072668ad48ca9de74b57c5d6e1e05
-
SHA256
dcbfee966da3941a49280b6acaf88bcd7ed43a08a754e866e4a34363525e7fc4
-
SHA512
0b93f50560780080d51c9ae06f17e65ff5c4b339a1e45f12c6b688126b26663bdd071ce41cdfdc4e53d32993651a197a83e04d32f003b392c25a8bf625963f48
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/476-115-0x00000000739B0000-0x00000000739DE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1808 wrote to memory of 476 1808 rundll32.exe rundll32.exe PID 1808 wrote to memory of 476 1808 rundll32.exe rundll32.exe PID 1808 wrote to memory of 476 1808 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dcbfee966da3941a49280b6acaf88bcd7ed43a08a754e866e4a34363525e7fc4.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dcbfee966da3941a49280b6acaf88bcd7ed43a08a754e866e4a34363525e7fc4.dll,#12⤵
- Checks whether UAC is enabled