Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:31
Static task
static1
General
-
Target
b4f4e82ed5bd7d5b27af2ab1dd2a71f90c97012c53117841da6300f9e2882f85.dll
-
Size
170KB
-
MD5
060351ef5abb400fb9e916b5d91ceddc
-
SHA1
b3605c9cb634065fb137c02d03cb129248b09618
-
SHA256
b4f4e82ed5bd7d5b27af2ab1dd2a71f90c97012c53117841da6300f9e2882f85
-
SHA512
762d75b480e5dccf6aae19e69d6d9f51159234a9f790343fb8c6597ea03ae88e4be092f41747d3f8b9e185b1fcb24984b763a65e66db31adafd3b1a143987bf3
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1420 created 1480 1420 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1480-115-0x00000000742C0000-0x00000000742EF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1420 1480 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1420 WerFault.exe Token: SeBackupPrivilege 1420 WerFault.exe Token: SeDebugPrivilege 1420 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 672 wrote to memory of 1480 672 rundll32.exe rundll32.exe PID 672 wrote to memory of 1480 672 rundll32.exe rundll32.exe PID 672 wrote to memory of 1480 672 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4f4e82ed5bd7d5b27af2ab1dd2a71f90c97012c53117841da6300f9e2882f85.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4f4e82ed5bd7d5b27af2ab1dd2a71f90c97012c53117841da6300f9e2882f85.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken