Analysis
-
max time kernel
17s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 15:40
Static task
static1
General
-
Target
8ecf4237492b631db14e86a9299499d1a2c62fbfb5c999af00f051f8308d4ca5.dll
-
Size
170KB
-
MD5
961a166cdc2a8b9c2cdb1937c846c96f
-
SHA1
85d37533667a9e15ff1c8073c1d8022ef436f0a7
-
SHA256
8ecf4237492b631db14e86a9299499d1a2c62fbfb5c999af00f051f8308d4ca5
-
SHA512
99c43da6277c1578554ff3919976586085323294047ca18b2d764385099d3605d3ebe0bc428a20bbfd4275b2ac8c588823a9e81c4f71d4d5a2d64c5382d7c4d4
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3196-115-0x0000000074380000-0x00000000743B0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1800 3196 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe 1800 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1800 WerFault.exe Token: SeBackupPrivilege 1800 WerFault.exe Token: SeDebugPrivilege 1800 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3724 wrote to memory of 3196 3724 rundll32.exe 69 PID 3724 wrote to memory of 3196 3724 rundll32.exe 69 PID 3724 wrote to memory of 3196 3724 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ecf4237492b631db14e86a9299499d1a2c62fbfb5c999af00f051f8308d4ca5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ecf4237492b631db14e86a9299499d1a2c62fbfb5c999af00f051f8308d4ca5.dll,#12⤵PID:3196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-