Analysis
-
max time kernel
19s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:23
Static task
static1
General
-
Target
f1489e365479f0cd4e3c53293e120564493d9f397d55617f126c90e4b7953d70.dll
-
Size
170KB
-
MD5
a7db8f270437814506886d74f7863bba
-
SHA1
4234e86361368f1a92a0216ccd975bcfdf381b3f
-
SHA256
f1489e365479f0cd4e3c53293e120564493d9f397d55617f126c90e4b7953d70
-
SHA512
2cdeadca572a27e5db3a4a2a769f2c5ae04a59af3b77a0d1d87ca37ef0bb0e31d088ae74c75945d03412a5ec3c41fd7f0bc4bc3b0f769b5ecc8f63011113540e
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3964-115-0x00000000742E0000-0x0000000074310000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1076 3964 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe 1076 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1076 WerFault.exe Token: SeBackupPrivilege 1076 WerFault.exe Token: SeDebugPrivilege 1076 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4084 wrote to memory of 3964 4084 rundll32.exe 70 PID 4084 wrote to memory of 3964 4084 rundll32.exe 70 PID 4084 wrote to memory of 3964 4084 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1489e365479f0cd4e3c53293e120564493d9f397d55617f126c90e4b7953d70.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1489e365479f0cd4e3c53293e120564493d9f397d55617f126c90e4b7953d70.dll,#12⤵PID:3964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-