Analysis
-
max time kernel
17s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:29
Static task
static1
General
-
Target
a0005c52d3f6bbdffa318707546743a6839d35450443b8d6ac73b5a9ba7c309d.dll
-
Size
170KB
-
MD5
b540ecdb806c2aab38cf91e40898ac5a
-
SHA1
54e707b17d4ab12eb209183b17d35614711ea5d8
-
SHA256
a0005c52d3f6bbdffa318707546743a6839d35450443b8d6ac73b5a9ba7c309d
-
SHA512
324d40b6a7d814bf8205b8dcbc820f54c297ebc96fc36e65c0ef7af4a2429e831b11661ddbd5a9b9a272a62b6687158130326cd67000edb1cd63730757cc30a5
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4072 created 2152 4072 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/2152-115-0x00000000736D0000-0x00000000736FF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4072 2152 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe 4072 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4072 WerFault.exe Token: SeBackupPrivilege 4072 WerFault.exe Token: SeDebugPrivilege 4072 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3176 wrote to memory of 2152 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 2152 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 2152 3176 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a0005c52d3f6bbdffa318707546743a6839d35450443b8d6ac73b5a9ba7c309d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a0005c52d3f6bbdffa318707546743a6839d35450443b8d6ac73b5a9ba7c309d.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken