Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:15
Static task
static1
General
-
Target
4d404a3ccf66caa47441ad80eefe3ca5b14fa82dd41271e9ce708b20d6208e47.dll
-
Size
172KB
-
MD5
41d6281c20127f93b8b0c12c60cd1316
-
SHA1
b36e7dd693f16170d55a62f5419755d7a1ea5f6d
-
SHA256
4d404a3ccf66caa47441ad80eefe3ca5b14fa82dd41271e9ce708b20d6208e47
-
SHA512
87b75079de8071a83c9e3b69533926b8d9db5ce7d9203c78d059b6407733593b02db29658cf2bf4d83786b19c69701526ebe60c31034c6faefcef4e1d24b9b9c
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1548-115-0x0000000073FB0000-0x0000000073FE0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2652 1548 WerFault.exe 71 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe 2652 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2652 WerFault.exe Token: SeBackupPrivilege 2652 WerFault.exe Token: SeDebugPrivilege 2652 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 640 wrote to memory of 1548 640 rundll32.exe 71 PID 640 wrote to memory of 1548 640 rundll32.exe 71 PID 640 wrote to memory of 1548 640 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d404a3ccf66caa47441ad80eefe3ca5b14fa82dd41271e9ce708b20d6208e47.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d404a3ccf66caa47441ad80eefe3ca5b14fa82dd41271e9ce708b20d6208e47.dll,#12⤵PID:1548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-