Analysis
-
max time kernel
26s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:32
Static task
static1
General
-
Target
3e05ac9148a1805367881ef1514bfc58f9cd39a2fa7ab7c782bff22c4bdbbaac.dll
-
Size
170KB
-
MD5
e79727cd542651e4e65750942df9af6e
-
SHA1
cf4c9c156b50bc08eb1f11ced34e2530c502c0bc
-
SHA256
3e05ac9148a1805367881ef1514bfc58f9cd39a2fa7ab7c782bff22c4bdbbaac
-
SHA512
503752df676c8fc3b95a2318dedf5ad48a34c8170140ad5bf78a22517346b138a9cf8e2d2406d5b8e2805614635fd0db1e917b669a2d09c9867baf4538d7f39b
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1628-115-0x0000000073C70000-0x0000000073CA0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2312 1628 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2312 WerFault.exe Token: SeBackupPrivilege 2312 WerFault.exe Token: SeDebugPrivilege 2312 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 708 wrote to memory of 1628 708 rundll32.exe 71 PID 708 wrote to memory of 1628 708 rundll32.exe 71 PID 708 wrote to memory of 1628 708 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e05ac9148a1805367881ef1514bfc58f9cd39a2fa7ab7c782bff22c4bdbbaac.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e05ac9148a1805367881ef1514bfc58f9cd39a2fa7ab7c782bff22c4bdbbaac.dll,#12⤵PID:1628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 7083⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-