Analysis
-
max time kernel
17s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:28
Static task
static1
General
-
Target
f2c69444a45ca0247494ae8b010931d815f513cce35d48ada92851369e5e91a4.dll
-
Size
172KB
-
MD5
c2f67e7aad86b049d1af537ea830601d
-
SHA1
a879a3557b7cab52a7d27a73c0380defd26969b6
-
SHA256
f2c69444a45ca0247494ae8b010931d815f513cce35d48ada92851369e5e91a4
-
SHA512
f34ee5f6edc7edb0565439d880ce162c0bfd95ffe96a740a8f68aa984e553fa226a7cf20667cf484e145390940f058476b92f176530adb42861847377516427d
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/4076-115-0x00000000735E0000-0x0000000073610000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 408 4076 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 408 WerFault.exe Token: SeBackupPrivilege 408 WerFault.exe Token: SeDebugPrivilege 408 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4024 wrote to memory of 4076 4024 rundll32.exe 72 PID 4024 wrote to memory of 4076 4024 rundll32.exe 72 PID 4024 wrote to memory of 4076 4024 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2c69444a45ca0247494ae8b010931d815f513cce35d48ada92851369e5e91a4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2c69444a45ca0247494ae8b010931d815f513cce35d48ada92851369e5e91a4.dll,#12⤵PID:4076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 6763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-