Analysis
-
max time kernel
25s -
max time network
87s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:09
Static task
static1
General
-
Target
812dfe31a6e61ebaa7c50de0495c4a494c1606d3b510d15e9cb427813617cc59.dll
-
Size
170KB
-
MD5
7b8bbfdf4eb65d68019754bce7700fa3
-
SHA1
d085cf5021f19f0afa3a527731d125ea6bd60006
-
SHA256
812dfe31a6e61ebaa7c50de0495c4a494c1606d3b510d15e9cb427813617cc59
-
SHA512
c49e1985d8638ae350f3eafd84572c769f414369a9c79881d714c73dc429a18895af2f1f69081d4bba6a9e2a1c51b601de26d02f5595a4c01483c154edfe0fa5
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/996-115-0x00000000744D0000-0x0000000074500000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3684 996 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3684 WerFault.exe Token: SeBackupPrivilege 3684 WerFault.exe Token: SeDebugPrivilege 3684 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 636 wrote to memory of 996 636 rundll32.exe 69 PID 636 wrote to memory of 996 636 rundll32.exe 69 PID 636 wrote to memory of 996 636 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\812dfe31a6e61ebaa7c50de0495c4a494c1606d3b510d15e9cb427813617cc59.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\812dfe31a6e61ebaa7c50de0495c4a494c1606d3b510d15e9cb427813617cc59.dll,#12⤵PID:996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-