Analysis
-
max time kernel
18s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:41
Static task
static1
General
-
Target
2ce9ea3c8aee379c5ea085a32452ec00cf52d87c0333e86e069c34f3aaefabdd.dll
-
Size
170KB
-
MD5
fa38d64ccd1d36e1062f3b8adc84f3f0
-
SHA1
2b18585faa29ea574ea4bb354929c3fc2df093cb
-
SHA256
2ce9ea3c8aee379c5ea085a32452ec00cf52d87c0333e86e069c34f3aaefabdd
-
SHA512
7d525c28474699f4fdcba1ce7262c19f62e9b9efd82710e7fdeb174161e54f54105da769e33b2ebbbd8aa479cc9487f743e1ceeb65a3af4c5a407f275f5d996a
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1016 created 4468 1016 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/4468-115-0x0000000074290000-0x00000000742BF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1016 4468 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1016 WerFault.exe Token: SeBackupPrivilege 1016 WerFault.exe Token: SeDebugPrivilege 1016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4444 wrote to memory of 4468 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4468 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4468 4444 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ce9ea3c8aee379c5ea085a32452ec00cf52d87c0333e86e069c34f3aaefabdd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ce9ea3c8aee379c5ea085a32452ec00cf52d87c0333e86e069c34f3aaefabdd.dll,#12⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 6563⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016