Analysis
-
max time kernel
18s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:06
Static task
static1
General
-
Target
fad52b1b02da6f733100aafedb5651dc1dfeb26f60be83035b245c8eba8bd2b2.dll
-
Size
172KB
-
MD5
4e00f70e6a40fa6c727273d9d8845188
-
SHA1
884e8ecfb49bb03e2d5020071a2a2d75f3c96d83
-
SHA256
fad52b1b02da6f733100aafedb5651dc1dfeb26f60be83035b245c8eba8bd2b2
-
SHA512
ff10bd0597c73f1a6d6c58214f5f7bcc7ce56d76b697e83e75fad4c386e7ea74dadf4bebbe629f6aad340a7eea650fd736aa26af0e46c35b58904256820d0cc6
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3164-115-0x00000000736D0000-0x0000000073700000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3584 3164 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe 3584 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3584 WerFault.exe Token: SeBackupPrivilege 3584 WerFault.exe Token: SeDebugPrivilege 3584 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1892 wrote to memory of 3164 1892 rundll32.exe 69 PID 1892 wrote to memory of 3164 1892 rundll32.exe 69 PID 1892 wrote to memory of 3164 1892 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fad52b1b02da6f733100aafedb5651dc1dfeb26f60be83035b245c8eba8bd2b2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fad52b1b02da6f733100aafedb5651dc1dfeb26f60be83035b245c8eba8bd2b2.dll,#12⤵PID:3164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 6763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-