Analysis
-
max time kernel
27s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-06-2021 02:46
Static task
static1
General
-
Target
918a33e1e74cb2439658e8ac735791b44992b8051d066f46dcdb0dc1dca1f983.dll
-
Size
160KB
-
MD5
9a7c482fb2f54f2a653472dfa8b90631
-
SHA1
05895e8f3ba45b2e6818b1aaaf4c3f80bd155901
-
SHA256
918a33e1e74cb2439658e8ac735791b44992b8051d066f46dcdb0dc1dca1f983
-
SHA512
4c24c538a6758309b473efc56cc8ba0004cb798046152c94f6d9ce8d449cafd61e218542b135d1b71e9d65ca3a943467dfc0a85fb7e70d8c1069372c2610fd98
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1228-115-0x0000000073C70000-0x0000000073C9E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 396 wrote to memory of 1228 396 rundll32.exe rundll32.exe PID 396 wrote to memory of 1228 396 rundll32.exe rundll32.exe PID 396 wrote to memory of 1228 396 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\918a33e1e74cb2439658e8ac735791b44992b8051d066f46dcdb0dc1dca1f983.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\918a33e1e74cb2439658e8ac735791b44992b8051d066f46dcdb0dc1dca1f983.dll,#12⤵
- Checks whether UAC is enabled
PID:1228