Analysis
-
max time kernel
24s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
cef9b2939def86257411f5ddfd01e33daf3b4a28c84e2ebf22279c19904f9bf5.dll
-
Size
170KB
-
MD5
4958ba79c4b23425969558db6d01e600
-
SHA1
c5fb5156c9131306284b66b56779c3bf37252faa
-
SHA256
cef9b2939def86257411f5ddfd01e33daf3b4a28c84e2ebf22279c19904f9bf5
-
SHA512
f862a50992024571f002ce15fd9ba6f1914eb25f45b5f5734dc656485e77e4b2364410eb5fe081e89c925d1705ba16f51e12ef7046780f9d869734a2f7960ffc
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1460 created 1044 1460 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1044-115-0x00000000736D0000-0x00000000736FF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1460 1044 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe 1460 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1460 WerFault.exe Token: SeBackupPrivilege 1460 WerFault.exe Token: SeDebugPrivilege 1460 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 796 wrote to memory of 1044 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1044 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1044 796 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cef9b2939def86257411f5ddfd01e33daf3b4a28c84e2ebf22279c19904f9bf5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cef9b2939def86257411f5ddfd01e33daf3b4a28c84e2ebf22279c19904f9bf5.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken