Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 12:06
Static task
static1
General
-
Target
34b2a7f7fabadc0bdbc76d87bedee47482d8e742d9ca9d46bbf65d5223bf4208.dll
-
Size
170KB
-
MD5
3ee777e6223d128847877c2a0eb4f5f1
-
SHA1
933c9f31927fb026f3e3750395e9809aefd3fd15
-
SHA256
34b2a7f7fabadc0bdbc76d87bedee47482d8e742d9ca9d46bbf65d5223bf4208
-
SHA512
5dcab71e388e478b6a65d6c69e828fc238b8f52f5f6df73f6b93e4e89b6aece1010cf00f54b141edd7e5a114f670334a615fb113c4ee0660af5983ffceacda1c
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/796-115-0x00000000742B0000-0x00000000742E0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3092 796 WerFault.exe 54 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe 3092 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3092 WerFault.exe Token: SeBackupPrivilege 3092 WerFault.exe Token: SeDebugPrivilege 3092 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3400 wrote to memory of 796 3400 rundll32.exe 54 PID 3400 wrote to memory of 796 3400 rundll32.exe 54 PID 3400 wrote to memory of 796 3400 rundll32.exe 54
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\34b2a7f7fabadc0bdbc76d87bedee47482d8e742d9ca9d46bbf65d5223bf4208.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\34b2a7f7fabadc0bdbc76d87bedee47482d8e742d9ca9d46bbf65d5223bf4208.dll,#12⤵PID:796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-