Analysis
-
max time kernel
17s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:35
Static task
static1
General
-
Target
51d92fa47f021cee7f307770ee01008fe55be362a5ff807f4aecd52c8853b877.dll
-
Size
170KB
-
MD5
257dfcd89ed8c82c4710e76e8c8ee96c
-
SHA1
cbe770ffdf0d851fa978188ddd42759fec1053f2
-
SHA256
51d92fa47f021cee7f307770ee01008fe55be362a5ff807f4aecd52c8853b877
-
SHA512
5e18c1cbc1a9c63f0eab53b635f32c1b720fc342452845bd9af583ec5218dfa8908c98677e82176605c75df292794c0077e685ad785f461b3f446b692f9592f7
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1932-115-0x0000000074300000-0x0000000074330000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4032 1932 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe 4032 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4032 WerFault.exe Token: SeBackupPrivilege 4032 WerFault.exe Token: SeDebugPrivilege 4032 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3872 wrote to memory of 1932 3872 rundll32.exe rundll32.exe PID 3872 wrote to memory of 1932 3872 rundll32.exe rundll32.exe PID 3872 wrote to memory of 1932 3872 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\51d92fa47f021cee7f307770ee01008fe55be362a5ff807f4aecd52c8853b877.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\51d92fa47f021cee7f307770ee01008fe55be362a5ff807f4aecd52c8853b877.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken