Analysis
-
max time kernel
17s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 15:25
Static task
static1
General
-
Target
6b03dabe58aa643e74919d07dee8e05fa2d66d3921bd322aca1e69faab68ef3c.dll
-
Size
172KB
-
MD5
9753a540acb7024c4ed4e65d022dfa5e
-
SHA1
98a200f7f19a8d71d199d9338e872a1aae9252b1
-
SHA256
6b03dabe58aa643e74919d07dee8e05fa2d66d3921bd322aca1e69faab68ef3c
-
SHA512
aae402e191c308d142db1a86c3422b2f54376cd9008937d4de95d49ae1e9b2e3c4655589675e9896c68df20be2fc1ac06c57f98d5b852a69d21d9291c124977a
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3552-115-0x0000000073F20000-0x0000000073F50000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 184 3552 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 184 WerFault.exe Token: SeBackupPrivilege 184 WerFault.exe Token: SeDebugPrivilege 184 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4036 wrote to memory of 3552 4036 rundll32.exe 69 PID 4036 wrote to memory of 3552 4036 rundll32.exe 69 PID 4036 wrote to memory of 3552 4036 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b03dabe58aa643e74919d07dee8e05fa2d66d3921bd322aca1e69faab68ef3c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b03dabe58aa643e74919d07dee8e05fa2d66d3921bd322aca1e69faab68ef3c.dll,#12⤵PID:3552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184
-
-