Analysis
-
max time kernel
16s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:00
Static task
static1
General
-
Target
391208225c173d79026f69b45a2b1e495088d066bfd428aca74d571b4945418f.dll
-
Size
170KB
-
MD5
8a7b91c2f8ec8cba216727f307e3c9a9
-
SHA1
e04be849f966b6da7650db0c026052941660d7fb
-
SHA256
391208225c173d79026f69b45a2b1e495088d066bfd428aca74d571b4945418f
-
SHA512
d8da6c5106bfa6de015fd6a667fa71021b1982d80b0db66acfc96ac51c520c5ecf99bf83c43f3586d3dd9ded3563c07015bd4148ad128bb0a50c3bfed91f5499
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1108 created 3592 1108 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/3592-115-0x00000000736D0000-0x00000000736FF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1108 3592 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1108 WerFault.exe Token: SeBackupPrivilege 1108 WerFault.exe Token: SeDebugPrivilege 1108 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3172 wrote to memory of 3592 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 3592 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 3592 3172 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\391208225c173d79026f69b45a2b1e495088d066bfd428aca74d571b4945418f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\391208225c173d79026f69b45a2b1e495088d066bfd428aca74d571b4945418f.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken