Analysis
-
max time kernel
26s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:16
Static task
static1
General
-
Target
8a0b95cade823288485cfa8523d08d91076d812dae64051542dba892edcedf05.dll
-
Size
170KB
-
MD5
1d8ddea9be84c2a463727193344067f9
-
SHA1
cc56e45a0016499dfcbcaef4c0937f7961802991
-
SHA256
8a0b95cade823288485cfa8523d08d91076d812dae64051542dba892edcedf05
-
SHA512
3e5c75cc4b090720b9e0043d27e5ac16862d1fd0aa866e8588c03fa0a895d782f3f535dda6f43f3a53242e3ba8e7e8a2cd348c28f5196d3af8c0af18881dd014
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3944-115-0x0000000073620000-0x0000000073650000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 580 3944 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 580 WerFault.exe Token: SeBackupPrivilege 580 WerFault.exe Token: SeDebugPrivilege 580 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 644 wrote to memory of 3944 644 rundll32.exe 69 PID 644 wrote to memory of 3944 644 rundll32.exe 69 PID 644 wrote to memory of 3944 644 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a0b95cade823288485cfa8523d08d91076d812dae64051542dba892edcedf05.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a0b95cade823288485cfa8523d08d91076d812dae64051542dba892edcedf05.dll,#12⤵PID:3944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-