Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 16:18
Static task
static1
General
-
Target
f3e3749dc20de17ac7dc81660287e205b35811fcc497701e2eb291dffb578352.dll
-
Size
172KB
-
MD5
c767c0dc39eae10fea68b0e045bd9990
-
SHA1
c3904832594a593a2c53f8fd35b57c8e9f005b10
-
SHA256
f3e3749dc20de17ac7dc81660287e205b35811fcc497701e2eb291dffb578352
-
SHA512
b6a19a5c8c16e89f84457446abe6b9b5538c91f52366452bb990c4c759f48bca7df09f0ee153458e7498bf6a7f0acd1bdd252e7e844369a971341217bdaedb1f
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1972-115-0x0000000073660000-0x0000000073690000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1820 1972 WerFault.exe 38 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe 1820 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1820 WerFault.exe Token: SeBackupPrivilege 1820 WerFault.exe Token: SeDebugPrivilege 1820 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4012 wrote to memory of 1972 4012 rundll32.exe 38 PID 4012 wrote to memory of 1972 4012 rundll32.exe 38 PID 4012 wrote to memory of 1972 4012 rundll32.exe 38
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3e3749dc20de17ac7dc81660287e205b35811fcc497701e2eb291dffb578352.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3e3749dc20de17ac7dc81660287e205b35811fcc497701e2eb291dffb578352.dll,#12⤵PID:1972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 6763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-