Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:21
Static task
static1
General
-
Target
e1ca4dc87961e1325c4d9b777f0291c225b7a37fb21c691a5b82d7956befa3e5.dll
-
Size
170KB
-
MD5
00bd81aac7dbd387bf2fc4ea1d491e64
-
SHA1
c5705aa6326196be2e0453bd9f307ed30abc08f0
-
SHA256
e1ca4dc87961e1325c4d9b777f0291c225b7a37fb21c691a5b82d7956befa3e5
-
SHA512
988b33ca17336416c4493d8ac3232132e80a86f67888f5240e381062e4129f172ae523e51c0fad44d054562af4c8def6373136c5573b270b449e5563c0f73534
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3964-115-0x00000000735D0000-0x0000000073600000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1316 3964 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe 1316 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1316 WerFault.exe Token: SeBackupPrivilege 1316 WerFault.exe Token: SeDebugPrivilege 1316 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3912 wrote to memory of 3964 3912 rundll32.exe rundll32.exe PID 3912 wrote to memory of 3964 3912 rundll32.exe rundll32.exe PID 3912 wrote to memory of 3964 3912 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1ca4dc87961e1325c4d9b777f0291c225b7a37fb21c691a5b82d7956befa3e5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1ca4dc87961e1325c4d9b777f0291c225b7a37fb21c691a5b82d7956befa3e5.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken