Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 01:11
Static task
static1
General
-
Target
ee1333332a5a1293892f3921c9a9af1998a905bc022c92dac1111ee433dca3b9.dll
-
Size
170KB
-
MD5
9ed607c6ee4f7c105726b57a16e44825
-
SHA1
0b3dc2034f41d632a2aeb5afe6f3667aebe46793
-
SHA256
ee1333332a5a1293892f3921c9a9af1998a905bc022c92dac1111ee433dca3b9
-
SHA512
86bae70fcdcad9071275c4897ec27aaeba4057ceb84c0e0f2ade3e2c608d22f754f3c4c69ee93cc36fa05aae73f426b37d9c105f69f96773ec92ed78fa62916c
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1016-115-0x0000000073F20000-0x0000000073F50000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1988 1016 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1988 WerFault.exe Token: SeBackupPrivilege 1988 WerFault.exe Token: SeDebugPrivilege 1988 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4044 wrote to memory of 1016 4044 rundll32.exe rundll32.exe PID 4044 wrote to memory of 1016 4044 rundll32.exe rundll32.exe PID 4044 wrote to memory of 1016 4044 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee1333332a5a1293892f3921c9a9af1998a905bc022c92dac1111ee433dca3b9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee1333332a5a1293892f3921c9a9af1998a905bc022c92dac1111ee433dca3b9.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken