Analysis
-
max time kernel
24s -
max time network
86s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:24
Static task
static1
General
-
Target
0915b9e580b619dca7054b4fdc731bdb59b7617deec4159fc805bdaef4c56235.dll
-
Size
163KB
-
MD5
519573909bbb994e06a39eb20c76c5bd
-
SHA1
fddead5ad74fd94d1559121534debd700536e40d
-
SHA256
0915b9e580b619dca7054b4fdc731bdb59b7617deec4159fc805bdaef4c56235
-
SHA512
fc82a1065366ce8ade0611791b46d65e900d7bcf963348fa7dc479fee34d41b57447c9ee14feec54ae71a73de0da0cc57faa3a43dfa5238b022ae849db2f8269
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
43.229.206.212:443
82.209.17.209:8172
162.241.209.225:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4012-115-0x0000000010000000-0x000000001002E000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 956 4012 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 956 WerFault.exe Token: SeBackupPrivilege 956 WerFault.exe Token: SeDebugPrivilege 956 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 660 wrote to memory of 4012 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 4012 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 4012 660 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0915b9e580b619dca7054b4fdc731bdb59b7617deec4159fc805bdaef4c56235.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0915b9e580b619dca7054b4fdc731bdb59b7617deec4159fc805bdaef4c56235.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 7203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken