Analysis
-
max time kernel
17s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:19
Static task
static1
General
-
Target
473028503ff278b4da099b3581f0d1444b49ba9d3294a014edcdd018891bd298.dll
-
Size
170KB
-
MD5
9be98aeaa48db0e6185bac6ea202aee5
-
SHA1
0c58d64df2beea1a76ebc4a14664e96c83040226
-
SHA256
473028503ff278b4da099b3581f0d1444b49ba9d3294a014edcdd018891bd298
-
SHA512
066117671e468dfe1957a193b90a7d861a16a95d4cf0f57f801045249ccd2dfc1b659dbf00adbffecececfd2cf661403d57e47001e30cef7885047b81807d338
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1248-115-0x0000000073A90000-0x0000000073AC0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8 1248 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 8 WerFault.exe Token: SeBackupPrivilege 8 WerFault.exe Token: SeDebugPrivilege 8 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 512 wrote to memory of 1248 512 rundll32.exe rundll32.exe PID 512 wrote to memory of 1248 512 rundll32.exe rundll32.exe PID 512 wrote to memory of 1248 512 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\473028503ff278b4da099b3581f0d1444b49ba9d3294a014edcdd018891bd298.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\473028503ff278b4da099b3581f0d1444b49ba9d3294a014edcdd018891bd298.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken