Analysis
-
max time kernel
28s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:08
Static task
static1
General
-
Target
57e90ddf5f6695d5f87ab1b59f150cdec0d56fbc24e6ccfdfbcdde49a2d028c9.dll
-
Size
170KB
-
MD5
8b02613f7dc1364318b0b767ae7f0cb9
-
SHA1
bac04ceff2e315942f54dbde13b784f1739d4747
-
SHA256
57e90ddf5f6695d5f87ab1b59f150cdec0d56fbc24e6ccfdfbcdde49a2d028c9
-
SHA512
57d73dcbe0eb3fafc1ac96b0792d1faeeaf5c26c536ec412193eaea4a065027a6f1ca04867511b20bbb5ef8cb3dd713e1bca3b5bb3b37ac29d9f76cfcf948b8d
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1324-115-0x00000000736D0000-0x0000000073700000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3544 1324 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe 3544 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3544 WerFault.exe Token: SeBackupPrivilege 3544 WerFault.exe Token: SeDebugPrivilege 3544 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 796 wrote to memory of 1324 796 rundll32.exe 70 PID 796 wrote to memory of 1324 796 rundll32.exe 70 PID 796 wrote to memory of 1324 796 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57e90ddf5f6695d5f87ab1b59f150cdec0d56fbc24e6ccfdfbcdde49a2d028c9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57e90ddf5f6695d5f87ab1b59f150cdec0d56fbc24e6ccfdfbcdde49a2d028c9.dll,#12⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 6883⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-