Analysis
-
max time kernel
26s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:28
Static task
static1
General
-
Target
db7342f09af223c677dc966baa9ff578c9060987ae8a97048629b0e952f96def.dll
-
Size
172KB
-
MD5
c3dc839d2870a4fcf5093334ed7c7b12
-
SHA1
04fb7801426d0578e1fabc58a19481509fa720d0
-
SHA256
db7342f09af223c677dc966baa9ff578c9060987ae8a97048629b0e952f96def
-
SHA512
8d28aa3b12353a4a7d4ec37b409f59d4d602bf48ae43568eb5ad94854655a2fc593ad0f8fad38eb6961a6586c7a17e2885815face00fed2c63d1477749572ab3
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1000-115-0x0000000073FB0000-0x0000000073FE0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1332 1000 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1332 WerFault.exe Token: SeBackupPrivilege 1332 WerFault.exe Token: SeDebugPrivilege 1332 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 640 wrote to memory of 1000 640 rundll32.exe 68 PID 640 wrote to memory of 1000 640 rundll32.exe 68 PID 640 wrote to memory of 1000 640 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db7342f09af223c677dc966baa9ff578c9060987ae8a97048629b0e952f96def.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db7342f09af223c677dc966baa9ff578c9060987ae8a97048629b0e952f96def.dll,#12⤵PID:1000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 6923⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-