Analysis
-
max time kernel
25s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:29
Static task
static1
General
-
Target
d631fcb9537b4fc2ffb91a820c52c7587b6a8ae2a461bdb47f05e3b5acff4213.dll
-
Size
172KB
-
MD5
d18c2664088853ec32cc083921c1c73e
-
SHA1
15e3964379d3e175eb60012029915fc0531cd919
-
SHA256
d631fcb9537b4fc2ffb91a820c52c7587b6a8ae2a461bdb47f05e3b5acff4213
-
SHA512
41f7738fc755e78970c5a8935d84ac44cd5f2f1b7048e659624801cc925edd5b0f5b84ace2b7ad42ff24694ebedc01bba66102b47a1599b1f5e1b5323b7a8d4e
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1500-115-0x0000000074310000-0x0000000074340000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2176 1500 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2176 WerFault.exe Token: SeBackupPrivilege 2176 WerFault.exe Token: SeDebugPrivilege 2176 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 804 wrote to memory of 1500 804 rundll32.exe 71 PID 804 wrote to memory of 1500 804 rundll32.exe 71 PID 804 wrote to memory of 1500 804 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d631fcb9537b4fc2ffb91a820c52c7587b6a8ae2a461bdb47f05e3b5acff4213.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d631fcb9537b4fc2ffb91a820c52c7587b6a8ae2a461bdb47f05e3b5acff4213.dll,#12⤵PID:1500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-