Analysis
-
max time kernel
27s -
max time network
96s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:44
Static task
static1
General
-
Target
a8547eb9fa294dce3973378ffd1ff08f4bf72c71e4e9088e41574326d7ed2e93.dll
-
Size
172KB
-
MD5
1fd7e0298d8f9c65c17c31fd7c96a8fb
-
SHA1
a5e12e3f15a6bc27c89966ade4e1e07d0b45562d
-
SHA256
a8547eb9fa294dce3973378ffd1ff08f4bf72c71e4e9088e41574326d7ed2e93
-
SHA512
3a0ffeda54bc1c2caee0f3210a443ef8e838ec741a0760a066c3dbf3193f7945335224d50a7dfa4c79e9e37ed5a0929dd6e469db72b429d60c915a71f7533089
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1184-115-0x00000000738F0000-0x0000000073920000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2172 1184 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2172 WerFault.exe Token: SeBackupPrivilege 2172 WerFault.exe Token: SeDebugPrivilege 2172 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 860 wrote to memory of 1184 860 rundll32.exe 69 PID 860 wrote to memory of 1184 860 rundll32.exe 69 PID 860 wrote to memory of 1184 860 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8547eb9fa294dce3973378ffd1ff08f4bf72c71e4e9088e41574326d7ed2e93.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8547eb9fa294dce3973378ffd1ff08f4bf72c71e4e9088e41574326d7ed2e93.dll,#12⤵PID:1184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-