Analysis
-
max time kernel
28s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:10
Static task
static1
General
-
Target
829112dcfed307b908e7e38896f923600c3e2d9be0e0f80d6d2524ccd2a40713.dll
-
Size
172KB
-
MD5
f28d96b9b4ac8a1ffda1afa73c98775d
-
SHA1
4ceb2476cbae5c0c87de53d986700951d564291b
-
SHA256
829112dcfed307b908e7e38896f923600c3e2d9be0e0f80d6d2524ccd2a40713
-
SHA512
b169ebb702cf700acf4395e9437bf782a004ac9f867ca7e0ceea33ece3d05df1fdee16c820eb18de92f801def1ef69e20706ea1ffdfb0ffb62eab7a3daad00e4
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/432-115-0x0000000074400000-0x0000000074430000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1368 432 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1368 WerFault.exe Token: SeBackupPrivilege 1368 WerFault.exe Token: SeDebugPrivilege 1368 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 744 wrote to memory of 432 744 rundll32.exe 70 PID 744 wrote to memory of 432 744 rundll32.exe 70 PID 744 wrote to memory of 432 744 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\829112dcfed307b908e7e38896f923600c3e2d9be0e0f80d6d2524ccd2a40713.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\829112dcfed307b908e7e38896f923600c3e2d9be0e0f80d6d2524ccd2a40713.dll,#12⤵PID:432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-