Analysis
-
max time kernel
26s -
max time network
87s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:41
Static task
static1
General
-
Target
fb92dfc03d4de79e6440e20781553f3f8defbf1b6968f69924d1293fbae23d8a.dll
-
Size
172KB
-
MD5
ca99b94951519d96a9f01a65fc82e696
-
SHA1
b996ebd51bf9c973c0dad0e53c8c84d2c0a98968
-
SHA256
fb92dfc03d4de79e6440e20781553f3f8defbf1b6968f69924d1293fbae23d8a
-
SHA512
069fc3590fd9f8aa4926979cf0fef6f3ee2553416fa44f7f8df442ca0eba4a3a307f8f194ee6225e370329eeb3e2f1bf1fd577cb8bc3365fc6241506706ef67b
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/508-115-0x00000000735F0000-0x0000000073620000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2868 508 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe 2868 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2868 WerFault.exe Token: SeBackupPrivilege 2868 WerFault.exe Token: SeDebugPrivilege 2868 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 604 wrote to memory of 508 604 rundll32.exe 69 PID 604 wrote to memory of 508 604 rundll32.exe 69 PID 604 wrote to memory of 508 604 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb92dfc03d4de79e6440e20781553f3f8defbf1b6968f69924d1293fbae23d8a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb92dfc03d4de79e6440e20781553f3f8defbf1b6968f69924d1293fbae23d8a.dll,#12⤵PID:508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-