Analysis
-
max time kernel
24s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-06-2021 23:56
Static task
static1
General
-
Target
20d50b45cc82bd614bc6ba3da79c87c2fe22219ad5920c8e9b91edc561d8f360.dll
-
Size
170KB
-
MD5
48de6355d700e054c51ad6744eb774ad
-
SHA1
410aa21494b167fdfb155186d9484e44b4c4f4a9
-
SHA256
20d50b45cc82bd614bc6ba3da79c87c2fe22219ad5920c8e9b91edc561d8f360
-
SHA512
c5b04ac9ac6f38790d865a6d89bbdc36217ffdfce3ba6ad465a9a19835a42f4e7cfccdc817ff0ff8acc3dcf5497ec0ca1c684818feae548e5f2e6d004d1987fe
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2268 created 1208 2268 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1208-115-0x0000000073F10000-0x0000000073F3F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2268 1208 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2268 WerFault.exe Token: SeBackupPrivilege 2268 WerFault.exe Token: SeDebugPrivilege 2268 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 488 wrote to memory of 1208 488 rundll32.exe rundll32.exe PID 488 wrote to memory of 1208 488 rundll32.exe rundll32.exe PID 488 wrote to memory of 1208 488 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20d50b45cc82bd614bc6ba3da79c87c2fe22219ad5920c8e9b91edc561d8f360.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20d50b45cc82bd614bc6ba3da79c87c2fe22219ad5920c8e9b91edc561d8f360.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken