Analysis
-
max time kernel
22s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:10
Static task
static1
General
-
Target
e2485bfa87db7ba5b26e4e7344af6dbe296b18310f077399537444f39bc144f6.dll
-
Size
172KB
-
MD5
185bd9a9420d8a6489d1cebc0f744ee3
-
SHA1
4f6845cf47db0ea6cf63050239b6af6912a9eb3d
-
SHA256
e2485bfa87db7ba5b26e4e7344af6dbe296b18310f077399537444f39bc144f6
-
SHA512
815fad3147ace06c2cb5800a17afe8c64c220c4684c85fa3443266aca132d3535356cd70c6f7a46b26d74ec1205407241b8f50186cac6daf76f612d22ffad817
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3936-115-0x0000000073990000-0x00000000739C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 192 3936 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe 192 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 192 WerFault.exe Token: SeBackupPrivilege 192 WerFault.exe Token: SeDebugPrivilege 192 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 408 wrote to memory of 3936 408 rundll32.exe 69 PID 408 wrote to memory of 3936 408 rundll32.exe 69 PID 408 wrote to memory of 3936 408 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2485bfa87db7ba5b26e4e7344af6dbe296b18310f077399537444f39bc144f6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2485bfa87db7ba5b26e4e7344af6dbe296b18310f077399537444f39bc144f6.dll,#12⤵PID:3936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 6763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192
-
-