Analysis
-
max time kernel
28s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:06
Static task
static1
General
-
Target
cd2150b049c1c4cc7bab18a78c607c7fa3177a4847c259d40a1c755cd4a0ad30.dll
-
Size
170KB
-
MD5
191712125d17399255b3aefda6b6bde5
-
SHA1
ab2887b391b147d7d9674f21ef46305cd08a4aec
-
SHA256
cd2150b049c1c4cc7bab18a78c607c7fa3177a4847c259d40a1c755cd4a0ad30
-
SHA512
a6241dadd8b88b29e494e1c61724e2239cd527c8cc840a2069656a0e08c8e498f9cad08e4af5f11d5b8a4854688a6d9df8c5560a02d5ad3dfae306c1a638d3de
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1708-115-0x0000000074450000-0x0000000074480000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 208 1708 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe 208 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 208 WerFault.exe Token: SeBackupPrivilege 208 WerFault.exe Token: SeDebugPrivilege 208 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 908 wrote to memory of 1708 908 rundll32.exe 70 PID 908 wrote to memory of 1708 908 rundll32.exe 70 PID 908 wrote to memory of 1708 908 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd2150b049c1c4cc7bab18a78c607c7fa3177a4847c259d40a1c755cd4a0ad30.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd2150b049c1c4cc7bab18a78c607c7fa3177a4847c259d40a1c755cd4a0ad30.dll,#12⤵PID:1708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-