Analysis
-
max time kernel
25s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 02:31
Static task
static1
General
-
Target
c8de12ff4039f6b8e29b787335d0d0bcce9778f129551eb8cf489b809815e08a.dll
-
Size
170KB
-
MD5
8955b4fb082a3e3a0abb982244b754eb
-
SHA1
c08e1c1f8a895352ebc292ba8ba8c929157fdbe5
-
SHA256
c8de12ff4039f6b8e29b787335d0d0bcce9778f129551eb8cf489b809815e08a
-
SHA512
b09d4fd0c571e17962539f0f26d3ea518d1005217599b912620b1859844a2f8436319edc0b65c278bc4fc749ace46891ff673cc9162d459768baeac7553d01f7
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2016 created 1032 2016 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1032-115-0x0000000074440000-0x000000007446F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2016 1032 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2016 WerFault.exe Token: SeBackupPrivilege 2016 WerFault.exe Token: SeDebugPrivilege 2016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 808 wrote to memory of 1032 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1032 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1032 808 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8de12ff4039f6b8e29b787335d0d0bcce9778f129551eb8cf489b809815e08a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8de12ff4039f6b8e29b787335d0d0bcce9778f129551eb8cf489b809815e08a.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken