Analysis
-
max time kernel
17s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:35
Static task
static1
General
-
Target
db555bf31a1be6770e5edbe8c30ca5dc4130538c9f04c621dbecb356c6ae96e5.dll
-
Size
170KB
-
MD5
6635c09177936a783fe7e11235332992
-
SHA1
4916bea555a07fd7ea4f285c7b8d78f7ccae5ec2
-
SHA256
db555bf31a1be6770e5edbe8c30ca5dc4130538c9f04c621dbecb356c6ae96e5
-
SHA512
4a63bf047a4884790f331a350704b8b06671ad153df93022fac8fa8ec79609dde0cfb389a93c5ab3a1c4e31ed0aaf513a8a0e3753b1deb164ca0c2552e159fc3
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3464-115-0x0000000074090000-0x00000000740C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2664 3464 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2664 WerFault.exe Token: SeBackupPrivilege 2664 WerFault.exe Token: SeDebugPrivilege 2664 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3896 wrote to memory of 3464 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3464 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3464 3896 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db555bf31a1be6770e5edbe8c30ca5dc4130538c9f04c621dbecb356c6ae96e5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db555bf31a1be6770e5edbe8c30ca5dc4130538c9f04c621dbecb356c6ae96e5.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken