Analysis
-
max time kernel
26s -
max time network
88s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:24
Static task
static1
General
-
Target
a560419431bc084bbb4340241d988a9b54ce1a64876874be3bb5487ba129bbf9.dll
-
Size
170KB
-
MD5
4dd0a7760921eee679d03fbe98b3cd17
-
SHA1
eae212ac4f0f7f589edc9f3cf3abcb2b9666f2e9
-
SHA256
a560419431bc084bbb4340241d988a9b54ce1a64876874be3bb5487ba129bbf9
-
SHA512
60efa465f0ffb3414c521967d80e5e28ce0caecbff4b0dd5cf96b63c4b5321d6fda9eed6265919bdaa88dbeb5a181e20cef16f4312531459ab882bbd56272058
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1016-115-0x00000000735F0000-0x0000000073620000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3856 1016 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe 3856 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3856 WerFault.exe Token: SeBackupPrivilege 3856 WerFault.exe Token: SeDebugPrivilege 3856 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 596 wrote to memory of 1016 596 rundll32.exe 69 PID 596 wrote to memory of 1016 596 rundll32.exe 69 PID 596 wrote to memory of 1016 596 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a560419431bc084bbb4340241d988a9b54ce1a64876874be3bb5487ba129bbf9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a560419431bc084bbb4340241d988a9b54ce1a64876874be3bb5487ba129bbf9.dll,#12⤵PID:1016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-