Analysis
-
max time kernel
19s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 12:05
Static task
static1
General
-
Target
acbbe33c1a15f803f2ba6262b76e57cd5bb0fe8e210eeaf1b1b492b78deedb83.dll
-
Size
172KB
-
MD5
df7a9e137b8bc5ec8ef4bff980bb0909
-
SHA1
4ea3cef1ac505aa2537f6bc2275ed0087c65a06b
-
SHA256
acbbe33c1a15f803f2ba6262b76e57cd5bb0fe8e210eeaf1b1b492b78deedb83
-
SHA512
14f25cd9650b4fbb10753909ff2e760e2c7fa3e2a502d70952c4aa4df7f7d6b79dc8657194016bb66f19ab286a21e0f445a694b0007f6d13fc90d09ebe07540e
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3128-115-0x0000000074300000-0x0000000074330000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3872 3128 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3872 WerFault.exe Token: SeBackupPrivilege 3872 WerFault.exe Token: SeDebugPrivilege 3872 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 500 wrote to memory of 3128 500 rundll32.exe 70 PID 500 wrote to memory of 3128 500 rundll32.exe 70 PID 500 wrote to memory of 3128 500 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\acbbe33c1a15f803f2ba6262b76e57cd5bb0fe8e210eeaf1b1b492b78deedb83.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\acbbe33c1a15f803f2ba6262b76e57cd5bb0fe8e210eeaf1b1b492b78deedb83.dll,#12⤵PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-