Analysis
-
max time kernel
19s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:17
Static task
static1
General
-
Target
14e5b5abb2623a9b221d8e28434fe4e62b6b980350f11ca332bf6ac15001907c.dll
-
Size
170KB
-
MD5
a7b44158c24ac7f8cae29abba7bfc0b2
-
SHA1
0f5e5dea88dfc2128d36869bf62d5370971a3de5
-
SHA256
14e5b5abb2623a9b221d8e28434fe4e62b6b980350f11ca332bf6ac15001907c
-
SHA512
8f80cdb3f5d8c233d15fbe35fc083184d4ee23ce63b40a5279a93de1d9ccbbb7dca5c6b790b798123ae56c1105dc84a109a15eb8a5ff0e0db6ae9dd1fcf51730
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/2992-115-0x00000000742E0000-0x0000000074310000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 36 2992 WerFault.exe 56 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe 36 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 36 WerFault.exe Token: SeBackupPrivilege 36 WerFault.exe Token: SeDebugPrivilege 36 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4084 wrote to memory of 2992 4084 rundll32.exe 56 PID 4084 wrote to memory of 2992 4084 rundll32.exe 56 PID 4084 wrote to memory of 2992 4084 rundll32.exe 56
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\14e5b5abb2623a9b221d8e28434fe4e62b6b980350f11ca332bf6ac15001907c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\14e5b5abb2623a9b221d8e28434fe4e62b6b980350f11ca332bf6ac15001907c.dll,#12⤵PID:2992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:36
-
-