Analysis
-
max time kernel
26s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-06-2021 01:59
Static task
static1
General
-
Target
e244a3383e299500f4b61ab57e413b8e661d55e470bbf3ff41c506507ddffac8.dll
-
Size
158KB
-
MD5
0f0fedd46cb4ab451c288bb34b37271c
-
SHA1
b3f52e6cd19c9f7e550ee95e06243eb5ba035c08
-
SHA256
e244a3383e299500f4b61ab57e413b8e661d55e470bbf3ff41c506507ddffac8
-
SHA512
611921f83ef2b960b632da1c98471192609b090667d7c8c957dee687de36d5ff496260efd497ffaa375f8c2ffdd415d9354683b7ca936eba3ab84191968735e2
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
8.210.53.215:443
72.249.22.245:2303
188.40.137.206:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4884-115-0x0000000073880000-0x00000000738AD000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4796 wrote to memory of 4884 4796 rundll32.exe rundll32.exe PID 4796 wrote to memory of 4884 4796 rundll32.exe rundll32.exe PID 4796 wrote to memory of 4884 4796 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e244a3383e299500f4b61ab57e413b8e661d55e470bbf3ff41c506507ddffac8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e244a3383e299500f4b61ab57e413b8e661d55e470bbf3ff41c506507ddffac8.dll,#12⤵
- Checks whether UAC is enabled
PID:4884