Analysis
-
max time kernel
26s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-06-2021 01:33
Static task
static1
General
-
Target
24e30d8cd298f43057e89f42400a6579d52d1d77521ec5cf1e4b8c77a9406f8f.dll
-
Size
160KB
-
MD5
ee9fbd7b3185077a86a72132c41bb38b
-
SHA1
10dd44f829ef5704da98eedd814e1df292ca6ff4
-
SHA256
24e30d8cd298f43057e89f42400a6579d52d1d77521ec5cf1e4b8c77a9406f8f
-
SHA512
6a20dc65ea204289cc6cb25822ff560ab6c75ad589907aa299a5fc869592a5e91a480d1710aef6a5f558b13edb042b7186a251df4441fafb31b4e42b32f22a51
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3112-115-0x0000000073890000-0x00000000738BE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3008 wrote to memory of 3112 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 3112 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 3112 3008 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24e30d8cd298f43057e89f42400a6579d52d1d77521ec5cf1e4b8c77a9406f8f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24e30d8cd298f43057e89f42400a6579d52d1d77521ec5cf1e4b8c77a9406f8f.dll,#12⤵
- Checks whether UAC is enabled