Analysis
-
max time kernel
18s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:21
Static task
static1
General
-
Target
623712580ac614737e98043b503ea593b050c099a0f2a67e24c4d168c27e4e55.dll
-
Size
170KB
-
MD5
e90da6030f64b2092bcda49fdcb376e3
-
SHA1
23d301988059d54b47042f76c91c51510dc647d5
-
SHA256
623712580ac614737e98043b503ea593b050c099a0f2a67e24c4d168c27e4e55
-
SHA512
79d82216e82f69af75706338d9b0fc006b843bb0db30898e35edc95de646531cfcafe72a5d811e7ef788164be916d40e0a6894857a84b4251b8b1cf0ed61e145
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3860-115-0x0000000073A10000-0x0000000073A40000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1976 3860 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe 1976 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1976 WerFault.exe Token: SeBackupPrivilege 1976 WerFault.exe Token: SeDebugPrivilege 1976 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3892 wrote to memory of 3860 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 3860 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 3860 3892 rundll32.exe rundll32.exe
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\623712580ac614737e98043b503ea593b050c099a0f2a67e24c4d168c27e4e55.dll,#11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 6842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\623712580ac614737e98043b503ea593b050c099a0f2a67e24c4d168c27e4e55.dll,#11⤵
- Suspicious use of WriteProcessMemory