Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:28
Static task
static1
General
-
Target
af66c1a9887b18abe52b6ee9a3ddd3300344bc41fafa3c4b98f564ed7fbfad37.dll
-
Size
172KB
-
MD5
c0af8b01c67c429945f882c049399ad2
-
SHA1
78fd185fbeb5edab32d2ab710023972626baee82
-
SHA256
af66c1a9887b18abe52b6ee9a3ddd3300344bc41fafa3c4b98f564ed7fbfad37
-
SHA512
aaf826bebe12bb9da0f6371272e1b69d4e3bb7f611a1a4c4f7f8836a9eb3caf34ffbac2e93bb3db79d4ac08b34f16d80e34240e5dd28d27df8c6de17511bc2e2
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1564-115-0x0000000073F10000-0x0000000073F40000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 504 1564 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe 504 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 504 WerFault.exe Token: SeBackupPrivilege 504 WerFault.exe Token: SeDebugPrivilege 504 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 472 wrote to memory of 1564 472 rundll32.exe 70 PID 472 wrote to memory of 1564 472 rundll32.exe 70 PID 472 wrote to memory of 1564 472 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af66c1a9887b18abe52b6ee9a3ddd3300344bc41fafa3c4b98f564ed7fbfad37.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af66c1a9887b18abe52b6ee9a3ddd3300344bc41fafa3c4b98f564ed7fbfad37.dll,#12⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:504
-
-