Analysis
-
max time kernel
17s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 15:46
Static task
static1
General
-
Target
f0bad5c66ab26c9e84cdaa45e832720e6034349d0963c010cbc0bd0ea17413da.dll
-
Size
170KB
-
MD5
d5df873e85b73c9e8fc0fe3ddef68f78
-
SHA1
8f6e67426f2c8572cdebd76cdf8bd771871cf9ae
-
SHA256
f0bad5c66ab26c9e84cdaa45e832720e6034349d0963c010cbc0bd0ea17413da
-
SHA512
19d71c3dc4c3ec8d41a9816106aaa2dd9a816ca96751a057a54090ed4e15fc1b6016663cd2ad1a991dc076c2b1e6ef598524deb409ceade817817e558339c3d0
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3400-115-0x00000000736D0000-0x0000000073700000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1300 3400 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1300 WerFault.exe Token: SeBackupPrivilege 1300 WerFault.exe Token: SeDebugPrivilege 1300 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3172 wrote to memory of 3400 3172 rundll32.exe 71 PID 3172 wrote to memory of 3400 3172 rundll32.exe 71 PID 3172 wrote to memory of 3400 3172 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f0bad5c66ab26c9e84cdaa45e832720e6034349d0963c010cbc0bd0ea17413da.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f0bad5c66ab26c9e84cdaa45e832720e6034349d0963c010cbc0bd0ea17413da.dll,#12⤵PID:3400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-