Analysis
-
max time kernel
25s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 01:32
Static task
static1
General
-
Target
e650b57499238720b8bd69487d11f262291ae5d5a86c62e2da92a8af547b6e15.dll
-
Size
170KB
-
MD5
c7ba626b6dfdd121f430d2860a4e8be6
-
SHA1
353879bec8b3c76006281c931b5ca913a2e079ec
-
SHA256
e650b57499238720b8bd69487d11f262291ae5d5a86c62e2da92a8af547b6e15
-
SHA512
df8ae4959a0eda3d2532e59ce8764e94a2e613bf9f6e806740862f842cceb5f6deb77a08f9e71a6d76b2bd56ccbd92034b7f3b2b2c917697c14835738ccf9915
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1476 created 1344 1476 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1344-115-0x00000000735F0000-0x000000007361F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1476 1344 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1476 WerFault.exe Token: SeBackupPrivilege 1476 WerFault.exe Token: SeDebugPrivilege 1476 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 596 wrote to memory of 1344 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1344 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1344 596 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e650b57499238720b8bd69487d11f262291ae5d5a86c62e2da92a8af547b6e15.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e650b57499238720b8bd69487d11f262291ae5d5a86c62e2da92a8af547b6e15.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken