Analysis
-
max time kernel
29s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:21
Static task
static1
General
-
Target
3413b5e172a92fdc7bb147910ec838b8586a41cfd112bedf6ad2900a4404cf04.dll
-
Size
172KB
-
MD5
7d13c430de795064ad2fe2fe1be341f9
-
SHA1
ca85d86a8c58b69ed2a3428299f18935f26fa566
-
SHA256
3413b5e172a92fdc7bb147910ec838b8586a41cfd112bedf6ad2900a4404cf04
-
SHA512
38e6439c00cfc9dada3a669ba427b57e3ee36cda568c1f59bb0947c618396f9eeb2efa89403461bb4192717d901f5d042033a0ddabcd39f4c0759a3bc274475a
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/2496-115-0x0000000073990000-0x00000000739C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2284 2496 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe 2284 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2284 WerFault.exe Token: SeBackupPrivilege 2284 WerFault.exe Token: SeDebugPrivilege 2284 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1404 wrote to memory of 2496 1404 rundll32.exe 71 PID 1404 wrote to memory of 2496 1404 rundll32.exe 71 PID 1404 wrote to memory of 2496 1404 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3413b5e172a92fdc7bb147910ec838b8586a41cfd112bedf6ad2900a4404cf04.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3413b5e172a92fdc7bb147910ec838b8586a41cfd112bedf6ad2900a4404cf04.dll,#12⤵PID:2496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-