Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:15
Static task
static1
General
-
Target
380bffb5cb1ab717fd2aebcda8dd011231924ba10dbd8805454ba690b63a4b4e.dll
-
Size
170KB
-
MD5
552a275e1096e692d94ed9277c8edb8a
-
SHA1
2d4bf6313293ce55e42df2a75373ab55736d8dfc
-
SHA256
380bffb5cb1ab717fd2aebcda8dd011231924ba10dbd8805454ba690b63a4b4e
-
SHA512
c020f92c3642abcbcbb7b4fc49838b686c6b921a6f03561a8e3da938085787d68bb0f5c9ba332c51d1790362733d59bb599b886136dc5dbdccb76e107f605e8c
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/428-115-0x00000000735D0000-0x0000000073600000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 752 428 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 752 WerFault.exe Token: SeBackupPrivilege 752 WerFault.exe Token: SeDebugPrivilege 752 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3916 wrote to memory of 428 3916 rundll32.exe 72 PID 3916 wrote to memory of 428 3916 rundll32.exe 72 PID 3916 wrote to memory of 428 3916 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\380bffb5cb1ab717fd2aebcda8dd011231924ba10dbd8805454ba690b63a4b4e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\380bffb5cb1ab717fd2aebcda8dd011231924ba10dbd8805454ba690b63a4b4e.dll,#12⤵PID:428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-