Analysis
-
max time kernel
26s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-06-2021 09:03
Static task
static1
General
-
Target
638fc1732b46ce4741747d411bc2cfafd398139d50b314b6f8bba7d0b9c854f8.dll
-
Size
160KB
-
MD5
492b8a56d47e0eeb6bf239b07c6b04af
-
SHA1
de24beb1446b8fca44dd80ce08441500c1d44156
-
SHA256
638fc1732b46ce4741747d411bc2cfafd398139d50b314b6f8bba7d0b9c854f8
-
SHA512
321a7e7a7dc512bf12aaff05786910761603e2b167a40f694e0dece4e27476d2174c02fb0e65be3ebb22ccecb5128fcda02b8f0b61fb33bb17d0def293d37540
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2192-115-0x0000000073990000-0x00000000739BE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1404 wrote to memory of 2192 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 2192 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 2192 1404 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\638fc1732b46ce4741747d411bc2cfafd398139d50b314b6f8bba7d0b9c854f8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\638fc1732b46ce4741747d411bc2cfafd398139d50b314b6f8bba7d0b9c854f8.dll,#12⤵
- Checks whether UAC is enabled
PID:2192