Analysis
-
max time kernel
18s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:28
Static task
static1
General
-
Target
244ee8c71177960a5ebec6ec24bbdbfc751087e48f2fa8a1013dc2a5248def19.dll
-
Size
170KB
-
MD5
c15cc43042cfb65c583e3bf186b43c54
-
SHA1
01b985718e93a76f735fe4b72c0128cb6ce038fa
-
SHA256
244ee8c71177960a5ebec6ec24bbdbfc751087e48f2fa8a1013dc2a5248def19
-
SHA512
e4300705ebbcdcf421dfca8e3a67c71c7bc1b4b53fb93014bdeb4a777df8fb0db49df6f609d6aad9889b212b5d878a7abe9de61f92e1b754623fed3971393ae3
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3856 created 3332 3856 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/3332-115-0x0000000073A70000-0x0000000073A9F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3856 3332 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3856 WerFault.exe Token: SeBackupPrivilege 3856 WerFault.exe Token: SeDebugPrivilege 3856 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4024 wrote to memory of 3332 4024 rundll32.exe rundll32.exe PID 4024 wrote to memory of 3332 4024 rundll32.exe rundll32.exe PID 4024 wrote to memory of 3332 4024 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\244ee8c71177960a5ebec6ec24bbdbfc751087e48f2fa8a1013dc2a5248def19.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\244ee8c71177960a5ebec6ec24bbdbfc751087e48f2fa8a1013dc2a5248def19.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken