Analysis
-
max time kernel
27s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:36
Static task
static1
General
-
Target
bf68968595bcfb9c87eac5086809e6477cc1b4ede2dba7a816ed2663817c1579.dll
-
Size
170KB
-
MD5
5f506004c129edb5fe5d0cfe163ce775
-
SHA1
ad71e29daacbb252cf54c48c159188feae1461ee
-
SHA256
bf68968595bcfb9c87eac5086809e6477cc1b4ede2dba7a816ed2663817c1579
-
SHA512
47d8bdf8377cbca09aa3dcef4df71541d128940dd5018bbe57ee4dc261c03bb62acfee99192dcc76390bdfb431235d45fe1ba4830638a11352f4ab32b242ffbe
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/4872-115-0x0000000073880000-0x00000000738B0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 800 4872 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe 800 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 800 WerFault.exe Token: SeBackupPrivilege 800 WerFault.exe Token: SeDebugPrivilege 800 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4804 wrote to memory of 4872 4804 rundll32.exe 70 PID 4804 wrote to memory of 4872 4804 rundll32.exe 70 PID 4804 wrote to memory of 4872 4804 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bf68968595bcfb9c87eac5086809e6477cc1b4ede2dba7a816ed2663817c1579.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bf68968595bcfb9c87eac5086809e6477cc1b4ede2dba7a816ed2663817c1579.dll,#12⤵PID:4872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-