Analysis
-
max time kernel
17s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:30
Static task
static1
General
-
Target
b660fcfe99a2e096d8c8745a9135939432c994a9fe3d0f0fb8bfb127a07051bf.dll
-
Size
170KB
-
MD5
b2ffaf5bdd31b09a4242ceee5a84f47b
-
SHA1
70f06d46d5f43ac7402724b75f65c823fe7bf367
-
SHA256
b660fcfe99a2e096d8c8745a9135939432c994a9fe3d0f0fb8bfb127a07051bf
-
SHA512
ccc7f0db038a2bd03f9bce1d95433eb2f0f3b01c3f39df2b90bd1432d21525e11ac9441bf721197dbd2e790d668860aaa96d74de4b1797cac9033bff4a7308a8
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3128-115-0x0000000074300000-0x0000000074330000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3896 3128 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3896 WerFault.exe Token: SeBackupPrivilege 3896 WerFault.exe Token: SeDebugPrivilege 3896 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3872 wrote to memory of 3128 3872 rundll32.exe 69 PID 3872 wrote to memory of 3128 3872 rundll32.exe 69 PID 3872 wrote to memory of 3128 3872 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b660fcfe99a2e096d8c8745a9135939432c994a9fe3d0f0fb8bfb127a07051bf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b660fcfe99a2e096d8c8745a9135939432c994a9fe3d0f0fb8bfb127a07051bf.dll,#12⤵PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-