Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 16:17
Static task
static1
General
-
Target
86636904b19483397b3cc804a50d4327a918f30ae2a52041e5befd051c5f452d.dll
-
Size
170KB
-
MD5
0ed397a1bbac763ec318f89ffe3e9bea
-
SHA1
37b6d87b354bd71d0174633b76d89d4d7bf5749d
-
SHA256
86636904b19483397b3cc804a50d4327a918f30ae2a52041e5befd051c5f452d
-
SHA512
f0d8fe8d7d7591fb3e4141f9c15addfb17f9529ef85ba9a82d7aa723f74701a40acdfb194fb4a21d92038c3bdf1fe368cf56f80f07100de707cb2868d06b80c2
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1312-115-0x00000000742C0000-0x00000000742F0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3640 1312 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3640 WerFault.exe Token: SeBackupPrivilege 3640 WerFault.exe Token: SeDebugPrivilege 3640 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 672 wrote to memory of 1312 672 rundll32.exe 70 PID 672 wrote to memory of 1312 672 rundll32.exe 70 PID 672 wrote to memory of 1312 672 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86636904b19483397b3cc804a50d4327a918f30ae2a52041e5befd051c5f452d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86636904b19483397b3cc804a50d4327a918f30ae2a52041e5befd051c5f452d.dll,#12⤵PID:1312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-