Analysis
-
max time kernel
18s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:20
Static task
static1
General
-
Target
584b3cc419227a8cd8abc8dd4d61b141470dd26e84ef8f3b339616331b0e7a4f.dll
-
Size
170KB
-
MD5
d1afbe1dcee50d3c42bc947a88908119
-
SHA1
03fa299a1e569a85c1b3ea8ef778b3bfea19321a
-
SHA256
584b3cc419227a8cd8abc8dd4d61b141470dd26e84ef8f3b339616331b0e7a4f
-
SHA512
fb03bce60d92a7286e6ec9326eafcca3b2cce9624f39e6af32ba4c7761c030a80bbae5cd7fbb615531d534886894684a9a831fef5bad27a6b11a5361992fa97b
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/776-115-0x00000000742E0000-0x0000000074310000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2672 776 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe 2672 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2672 WerFault.exe Token: SeBackupPrivilege 2672 WerFault.exe Token: SeDebugPrivilege 2672 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4084 wrote to memory of 776 4084 rundll32.exe 69 PID 4084 wrote to memory of 776 4084 rundll32.exe 69 PID 4084 wrote to memory of 776 4084 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\584b3cc419227a8cd8abc8dd4d61b141470dd26e84ef8f3b339616331b0e7a4f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\584b3cc419227a8cd8abc8dd4d61b141470dd26e84ef8f3b339616331b0e7a4f.dll,#12⤵PID:776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-