Analysis
-
max time kernel
19s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-06-2021 05:02
Static task
static1
General
-
Target
4dc187bd827163256210dbf36c4e9ad12f85845e94c29bdbce10fb5f90775a52.dll
-
Size
158KB
-
MD5
1c3859a335833398406afe0e19ff885b
-
SHA1
8dab965d4c5412d06e639f30cb32faebc5309c26
-
SHA256
4dc187bd827163256210dbf36c4e9ad12f85845e94c29bdbce10fb5f90775a52
-
SHA512
a13dde55ec427fb5fb014bc8c5707df7a114615a43a6e70d90597a4e6a973638e18a44a0979862c943ed30d54f65bdeca7bc66a1d5f4a582ac18713cd58f6949
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1736-115-0x0000000073DE0000-0x0000000073E0D000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3892 wrote to memory of 1736 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 1736 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 1736 3892 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4dc187bd827163256210dbf36c4e9ad12f85845e94c29bdbce10fb5f90775a52.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4dc187bd827163256210dbf36c4e9ad12f85845e94c29bdbce10fb5f90775a52.dll,#12⤵
- Checks whether UAC is enabled
PID:1736