Analysis
-
max time kernel
18s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:19
Static task
static1
General
-
Target
42ea0d001e3f510a9c196660614150f6db83867cd88a9e7313e16a58ccb75fa0.dll
-
Size
172KB
-
MD5
0dbb61297e154902df561f28a106071b
-
SHA1
587f15369887c6a057cc6b8526c8edc9d852ab05
-
SHA256
42ea0d001e3f510a9c196660614150f6db83867cd88a9e7313e16a58ccb75fa0
-
SHA512
1cb1260c7cf9ce43a6e35d46afc763f1b4771e4906c95894e3cfbb7d26a68e6c0a7c6021975912a7c6ccd9dfe443bdeb10dd29e172135a2804e0f0187a639df8
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3140-115-0x00000000736B0000-0x00000000736E0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2696 3140 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2696 WerFault.exe Token: SeBackupPrivilege 2696 WerFault.exe Token: SeDebugPrivilege 2696 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3656 wrote to memory of 3140 3656 rundll32.exe 71 PID 3656 wrote to memory of 3140 3656 rundll32.exe 71 PID 3656 wrote to memory of 3140 3656 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42ea0d001e3f510a9c196660614150f6db83867cd88a9e7313e16a58ccb75fa0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42ea0d001e3f510a9c196660614150f6db83867cd88a9e7313e16a58ccb75fa0.dll,#12⤵PID:3140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-