Analysis
-
max time kernel
27s -
max time network
96s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:19
Static task
static1
General
-
Target
74762e613f00e257f796c49a7c8be5e400e182303bbbef420a19ae18a404b0e9.dll
-
Size
172KB
-
MD5
7e337b5c51f54d0d4483ce54a801bd70
-
SHA1
b746a43f6fd28f3187542d537268f2b4da72c1fc
-
SHA256
74762e613f00e257f796c49a7c8be5e400e182303bbbef420a19ae18a404b0e9
-
SHA512
23470dc80885e4607bfd19c57852db34f44c3e751ff78eb4b3dfa0c51a491a9a185e53d0271876d513dd4e14d9bd0534201276c70a55166b551edb16ca0e9073
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/4012-115-0x0000000073A70000-0x0000000073AA0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2960 4012 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2960 WerFault.exe Token: SeBackupPrivilege 2960 WerFault.exe Token: SeDebugPrivilege 2960 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 668 wrote to memory of 4012 668 rundll32.exe 69 PID 668 wrote to memory of 4012 668 rundll32.exe 69 PID 668 wrote to memory of 4012 668 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74762e613f00e257f796c49a7c8be5e400e182303bbbef420a19ae18a404b0e9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74762e613f00e257f796c49a7c8be5e400e182303bbbef420a19ae18a404b0e9.dll,#12⤵PID:4012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-