Analysis
-
max time kernel
34s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:23
Static task
static1
General
-
Target
5d243edc8c83f4ba882f82474ec349b9057be3b3bfc97b1a8c87f96c6fbcb7bb.dll
-
Size
170KB
-
MD5
664654e23b0df0932536b3c6c7500f30
-
SHA1
5fde8833fcc8e42a77539bb7aa69a1b1bd1e9530
-
SHA256
5d243edc8c83f4ba882f82474ec349b9057be3b3bfc97b1a8c87f96c6fbcb7bb
-
SHA512
0bfa444bc0921b6da38f9833f24bea893a6020298159e3f953145ce17f7202bdcf5d6c673722fee24cbff09b960f7e0d09052858ed1b2cf0a99a43dd6fd1b991
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3968-115-0x0000000073990000-0x00000000739C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3540 3968 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe 3540 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3540 WerFault.exe Token: SeBackupPrivilege 3540 WerFault.exe Token: SeDebugPrivilege 3540 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2544 wrote to memory of 3968 2544 rundll32.exe 70 PID 2544 wrote to memory of 3968 2544 rundll32.exe 70 PID 2544 wrote to memory of 3968 2544 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d243edc8c83f4ba882f82474ec349b9057be3b3bfc97b1a8c87f96c6fbcb7bb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d243edc8c83f4ba882f82474ec349b9057be3b3bfc97b1a8c87f96c6fbcb7bb.dll,#12⤵PID:3968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-