Analysis
-
max time kernel
17s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:27
Static task
static1
General
-
Target
d4a5e8f88ac4ff7f29e774bccd0eb047176b76490a9934c4da119b877936b434.dll
-
Size
172KB
-
MD5
08f0715ce79cdfc1f48c08d2abec53e3
-
SHA1
d89e55c4ed557d22a4a4b634f5049e531be2d2e6
-
SHA256
d4a5e8f88ac4ff7f29e774bccd0eb047176b76490a9934c4da119b877936b434
-
SHA512
04c715069e8a90f1ada4d5aa874a29de4b0a34f4f3808c7bb8e568517cc2ebe222a4a50a2d91bb3015bf3141d9774f61eaf560062ab4b0f1acd082a2f56469f2
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/2100-115-0x0000000073B80000-0x0000000073BB0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1672 2100 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe 1672 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1672 WerFault.exe Token: SeBackupPrivilege 1672 WerFault.exe Token: SeDebugPrivilege 1672 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 772 wrote to memory of 2100 772 rundll32.exe 69 PID 772 wrote to memory of 2100 772 rundll32.exe 69 PID 772 wrote to memory of 2100 772 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d4a5e8f88ac4ff7f29e774bccd0eb047176b76490a9934c4da119b877936b434.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d4a5e8f88ac4ff7f29e774bccd0eb047176b76490a9934c4da119b877936b434.dll,#12⤵PID:2100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-