Analysis
-
max time kernel
25s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 02:55
Static task
static1
General
-
Target
cab236ace4035ac0563cb8d93d040bf3116b7a84ee8ab1bb95cf9f2764fd48c8.dll
-
Size
170KB
-
MD5
82a976bfc353e7f33578f96f05593636
-
SHA1
6bc383c8bd8f540444bdf688656da854d6fae69d
-
SHA256
cab236ace4035ac0563cb8d93d040bf3116b7a84ee8ab1bb95cf9f2764fd48c8
-
SHA512
0e0bbf4d828e27788234a59f690230e32536ae269aea2d6a0ccdf559f14a956ef301aa5c364bf86afa11530df9608bfc9aecd409cb645bfb8b06a7f3feec3b4f
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2996-115-0x0000000073560000-0x0000000073590000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2352 2996 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2352 WerFault.exe Token: SeBackupPrivilege 2352 WerFault.exe Token: SeDebugPrivilege 2352 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3928 wrote to memory of 2996 3928 rundll32.exe rundll32.exe PID 3928 wrote to memory of 2996 3928 rundll32.exe rundll32.exe PID 3928 wrote to memory of 2996 3928 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cab236ace4035ac0563cb8d93d040bf3116b7a84ee8ab1bb95cf9f2764fd48c8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cab236ace4035ac0563cb8d93d040bf3116b7a84ee8ab1bb95cf9f2764fd48c8.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken