Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:23
Static task
static1
General
-
Target
781dc6ec8721a568f6e985830c3ad74300cebeccabba0676273bd2c7a77f4174.dll
-
Size
172KB
-
MD5
b15845537b3fa11c106fc64c4164f5ea
-
SHA1
82ab0a8bfc5201e930c1514c42d95c90085c7247
-
SHA256
781dc6ec8721a568f6e985830c3ad74300cebeccabba0676273bd2c7a77f4174
-
SHA512
286f823869b440e15729234de5f84aebcdb8a2e7d709dcf4464d02b3e93d546bd35ec2fac5f61908002d829f95ca71cce95c4b62803cc7356e36a1e63099d284
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1336-115-0x0000000074430000-0x0000000074460000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3756 1336 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe 3756 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3756 WerFault.exe Token: SeBackupPrivilege 3756 WerFault.exe Token: SeDebugPrivilege 3756 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 804 wrote to memory of 1336 804 rundll32.exe 70 PID 804 wrote to memory of 1336 804 rundll32.exe 70 PID 804 wrote to memory of 1336 804 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\781dc6ec8721a568f6e985830c3ad74300cebeccabba0676273bd2c7a77f4174.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\781dc6ec8721a568f6e985830c3ad74300cebeccabba0676273bd2c7a77f4174.dll,#12⤵PID:1336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-