Analysis
-
max time kernel
26s -
max time network
72s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-06-2021 20:20
Static task
static1
General
-
Target
c1e63ab58699972b645abb96f2ea3472d0c0ae04d13ec7d10f55d890738511c3.dll
-
Size
160KB
-
MD5
105f58977dbed6b4c1323eee30b1a17c
-
SHA1
72ce76f76204d969a4d15bdc0dfccf5fda7b7507
-
SHA256
c1e63ab58699972b645abb96f2ea3472d0c0ae04d13ec7d10f55d890738511c3
-
SHA512
2138e1e5ea78a05cc3e1a62d7e7507206cc85505c0c28986fb90a5b1d9442f09842a2285eca1cb6f7e6f70342810891b24da23ab4fdca1a3094d72bc932d99d4
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1012-115-0x0000000074350000-0x000000007437E000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 652 wrote to memory of 1012 652 rundll32.exe rundll32.exe PID 652 wrote to memory of 1012 652 rundll32.exe rundll32.exe PID 652 wrote to memory of 1012 652 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c1e63ab58699972b645abb96f2ea3472d0c0ae04d13ec7d10f55d890738511c3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c1e63ab58699972b645abb96f2ea3472d0c0ae04d13ec7d10f55d890738511c3.dll,#12⤵
- Checks whether UAC is enabled