Analysis
-
max time kernel
27s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:36
Static task
static1
General
-
Target
a006e4c93bbd388a4ca2bbacdb8d9858518a6ee9396e6fdee2e093c7748ad963.dll
-
Size
172KB
-
MD5
f266e1b0c44808cb6542f676315bfe97
-
SHA1
d55e927340b1f03adf3029838b122b9a0408ca86
-
SHA256
a006e4c93bbd388a4ca2bbacdb8d9858518a6ee9396e6fdee2e093c7748ad963
-
SHA512
5152d941cf4600f547a2411f1fb4300b1756a1372531823a07e98776c79093563da447f7a38008a38b9a46a625c642a368c86b945653da89aaec555f9fffd734
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/848-115-0x00000000742C0000-0x00000000742F0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3640 848 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe 3640 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3640 WerFault.exe Token: SeBackupPrivilege 3640 WerFault.exe Token: SeDebugPrivilege 3640 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 672 wrote to memory of 848 672 rundll32.exe 69 PID 672 wrote to memory of 848 672 rundll32.exe 69 PID 672 wrote to memory of 848 672 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a006e4c93bbd388a4ca2bbacdb8d9858518a6ee9396e6fdee2e093c7748ad963.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a006e4c93bbd388a4ca2bbacdb8d9858518a6ee9396e6fdee2e093c7748ad963.dll,#12⤵PID:848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-