Analysis
-
max time kernel
27s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:25
Static task
static1
General
-
Target
96e3b8963203e95cd1415f10d32777d7b1b0a6842d7bc19bf579f61e4f9683d5.dll
-
Size
170KB
-
MD5
e5b2fe8246ba47a023e3b1e91a94ce5e
-
SHA1
d9f17c8e0f2af7e50f25b0239525a9ff89a28c90
-
SHA256
96e3b8963203e95cd1415f10d32777d7b1b0a6842d7bc19bf579f61e4f9683d5
-
SHA512
31349e93f3b9576aee65cfc3c3967afcfe5233328c9c099a307f395d6fe2472560774b6aba8045656ff88239b5127d1981a7f00547810708621fd69593838f79
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1512-115-0x0000000074310000-0x0000000074340000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3852 1512 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3852 WerFault.exe Token: SeBackupPrivilege 3852 WerFault.exe Token: SeDebugPrivilege 3852 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 804 wrote to memory of 1512 804 rundll32.exe 71 PID 804 wrote to memory of 1512 804 rundll32.exe 71 PID 804 wrote to memory of 1512 804 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\96e3b8963203e95cd1415f10d32777d7b1b0a6842d7bc19bf579f61e4f9683d5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\96e3b8963203e95cd1415f10d32777d7b1b0a6842d7bc19bf579f61e4f9683d5.dll,#12⤵PID:1512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-