Analysis
-
max time kernel
17s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:39
Static task
static1
General
-
Target
a7fd598c1eb2a2613029d9a437e3ae7d594e35a65486fc8e42bf76528d144795.dll
-
Size
170KB
-
MD5
1f9319a16281f56b977c6446eed4725b
-
SHA1
8bb02493023f38e558092fe6d3a5c493c36303e3
-
SHA256
a7fd598c1eb2a2613029d9a437e3ae7d594e35a65486fc8e42bf76528d144795
-
SHA512
9a151e57fcb3538a8c97bc34bff41419e2a23ccd5e4cc77d915e0c84e291f502c449d4e9fbbe1d9e6ca16bb78821621c893c5edc94534b17cb8ee6140b4dda86
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1920 created 796 1920 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/796-115-0x00000000742B0000-0x00000000742DF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1920 796 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1920 WerFault.exe Token: SeBackupPrivilege 1920 WerFault.exe Token: SeDebugPrivilege 1920 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4044 wrote to memory of 796 4044 rundll32.exe rundll32.exe PID 4044 wrote to memory of 796 4044 rundll32.exe rundll32.exe PID 4044 wrote to memory of 796 4044 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7fd598c1eb2a2613029d9a437e3ae7d594e35a65486fc8e42bf76528d144795.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7fd598c1eb2a2613029d9a437e3ae7d594e35a65486fc8e42bf76528d144795.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken