Analysis
-
max time kernel
17s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 15:26
Static task
static1
General
-
Target
a0248328ba21393193c4af21d956265d866e6658b1f3e18d4c48d5ec9014bee8.dll
-
Size
172KB
-
MD5
aeeabfac7c4363790eed526f1d48c802
-
SHA1
c95c2264982865eabf014f1cb58834501576cd9e
-
SHA256
a0248328ba21393193c4af21d956265d866e6658b1f3e18d4c48d5ec9014bee8
-
SHA512
7558e053df483e9cecabab82680135e08b76bb3fcf940b5a05bdbec65ab4d2f932f2b55c37ad3e90a887c41ebb16292109da4ee8ffcbec4d12f73188d946652a
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3696-115-0x0000000073E80000-0x0000000073EB0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3488 3696 WerFault.exe 53 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe 3488 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3488 WerFault.exe Token: SeBackupPrivilege 3488 WerFault.exe Token: SeDebugPrivilege 3488 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3368 wrote to memory of 3696 3368 rundll32.exe 53 PID 3368 wrote to memory of 3696 3368 rundll32.exe 53 PID 3368 wrote to memory of 3696 3368 rundll32.exe 53
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a0248328ba21393193c4af21d956265d866e6658b1f3e18d4c48d5ec9014bee8.dll,#11⤵PID:3696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 6842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a0248328ba21393193c4af21d956265d866e6658b1f3e18d4c48d5ec9014bee8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3368