Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:56
Static task
static1
General
-
Target
d06c843d48e0cac1f8efb4ce9dcf71143e4ef3b49e4f89fbaf775be01c779414.dll
-
Size
172KB
-
MD5
575dad03c5c4443fafec92d1e3c3fda7
-
SHA1
e353f7dadf6f8edd048839af48854a79beae5800
-
SHA256
d06c843d48e0cac1f8efb4ce9dcf71143e4ef3b49e4f89fbaf775be01c779414
-
SHA512
fd162266b11122b10acad90792b3f6b65315fd115016c9a40a991a19baa92d5e38a24a4488ede4ec7d4313452d5c38c64518b9345f9b47ca60d89734c99ac4a6
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3968-115-0x0000000073B80000-0x0000000073BB0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3732 3968 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe 3732 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3732 WerFault.exe Token: SeBackupPrivilege 3732 WerFault.exe Token: SeDebugPrivilege 3732 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3988 wrote to memory of 3968 3988 rundll32.exe rundll32.exe PID 3988 wrote to memory of 3968 3988 rundll32.exe rundll32.exe PID 3988 wrote to memory of 3968 3988 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d06c843d48e0cac1f8efb4ce9dcf71143e4ef3b49e4f89fbaf775be01c779414.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d06c843d48e0cac1f8efb4ce9dcf71143e4ef3b49e4f89fbaf775be01c779414.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken