Analysis
-
max time kernel
18s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:54
Static task
static1
General
-
Target
2fa9206adf8e04fe8cc70c4025adbe7eb1d6dfe880ae4440b2df813bdb8764a8.dll
-
Size
170KB
-
MD5
43f7a3258226fb017e4b7afbc63f06a2
-
SHA1
32fbf80f6333e2ea2702cd1d9a347abfdda5d68b
-
SHA256
2fa9206adf8e04fe8cc70c4025adbe7eb1d6dfe880ae4440b2df813bdb8764a8
-
SHA512
d2e35c87fd77538df08f9fce9b43eda36c258b84752e6711f52b29d45053c0297fb7697901b520ffad282839da8d44ec3a33054727097f9de2c95a5745d1e8f6
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4460-115-0x0000000074290000-0x00000000742C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1904 4460 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1904 WerFault.exe Token: SeBackupPrivilege 1904 WerFault.exe Token: SeDebugPrivilege 1904 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4444 wrote to memory of 4460 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4460 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4460 4444 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa9206adf8e04fe8cc70c4025adbe7eb1d6dfe880ae4440b2df813bdb8764a8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa9206adf8e04fe8cc70c4025adbe7eb1d6dfe880ae4440b2df813bdb8764a8.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken