Analysis
-
max time kernel
24s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:22
Static task
static1
General
-
Target
e48d48d9b94b21c996dd5b9b6bed1aab9914c24115f4c09bf5f6d5d3afe78d04.dll
-
Size
172KB
-
MD5
51d235c9d408f8f1cbcf72d540f8df1e
-
SHA1
96ed397d5e3bde2af46971b51ee24187dae8f632
-
SHA256
e48d48d9b94b21c996dd5b9b6bed1aab9914c24115f4c09bf5f6d5d3afe78d04
-
SHA512
9df037241fe703c61c250449f758d67312472ca22f7ebff88deedd6756d19fcd7b7712fb41a5d549e2a6f36e5553b3ffaecf1163f27830e4dc9127ca5c27fe64
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1288-115-0x0000000073ED0000-0x0000000073F00000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 192 1288 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 192 WerFault.exe Token: SeBackupPrivilege 192 WerFault.exe Token: SeDebugPrivilege 192 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 804 wrote to memory of 1288 804 rundll32.exe 70 PID 804 wrote to memory of 1288 804 rundll32.exe 70 PID 804 wrote to memory of 1288 804 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e48d48d9b94b21c996dd5b9b6bed1aab9914c24115f4c09bf5f6d5d3afe78d04.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e48d48d9b94b21c996dd5b9b6bed1aab9914c24115f4c09bf5f6d5d3afe78d04.dll,#12⤵PID:1288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192
-
-