Analysis
-
max time kernel
26s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:22
Static task
static1
General
-
Target
897dc2340ba0dcf3afbe92e8951f171f1574ad65d1580435fd84371e151929d0.dll
-
Size
170KB
-
MD5
58394df4da4b47623d9fc535b71a6819
-
SHA1
55412d1bfb656079fe50504b2fcacd50fafd3ce9
-
SHA256
897dc2340ba0dcf3afbe92e8951f171f1574ad65d1580435fd84371e151929d0
-
SHA512
87568d4f5f28361dad1ce15703542e72258ada2316e4ef1dfa19bd66d86dd7420c488b80b3914de3a2309e784b0866361d1a8e822ee0e72d5660144a6c0246e3
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/2004-115-0x0000000073F50000-0x0000000073F80000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2844 2004 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe 2844 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2844 WerFault.exe Token: SeBackupPrivilege 2844 WerFault.exe Token: SeDebugPrivilege 2844 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1040 wrote to memory of 2004 1040 rundll32.exe 71 PID 1040 wrote to memory of 2004 1040 rundll32.exe 71 PID 1040 wrote to memory of 2004 1040 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\897dc2340ba0dcf3afbe92e8951f171f1574ad65d1580435fd84371e151929d0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\897dc2340ba0dcf3afbe92e8951f171f1574ad65d1580435fd84371e151929d0.dll,#12⤵PID:2004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-