Analysis
-
max time kernel
17s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:44
Static task
static1
General
-
Target
1e1047718c906bb39c0b2ccd2e06012df05ea5fda76d8e977bba252f57871a36.dll
-
Size
170KB
-
MD5
3a403f89fa5d4937d4eb47d6e42670a2
-
SHA1
17aeb115bf55687144facbc7466b9720519ad34a
-
SHA256
1e1047718c906bb39c0b2ccd2e06012df05ea5fda76d8e977bba252f57871a36
-
SHA512
7be514a1518d65175fa3e2091355ea6162a9fa8be267bc305a84acc21050549b9406229777f230e3049cf930699d00e31789e3da60e18cd5d8bf0c082780b676
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1588 created 1860 1588 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1860-115-0x00000000736D0000-0x00000000736FF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1588 1860 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1588 WerFault.exe Token: SeBackupPrivilege 1588 WerFault.exe Token: SeDebugPrivilege 1588 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3176 wrote to memory of 1860 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 1860 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 1860 3176 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e1047718c906bb39c0b2ccd2e06012df05ea5fda76d8e977bba252f57871a36.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e1047718c906bb39c0b2ccd2e06012df05ea5fda76d8e977bba252f57871a36.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken