Analysis
-
max time kernel
27s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 16:17
Static task
static1
General
-
Target
b1976f40c9354ea8a9a61070c57cd8c0fcaa8db6c9931d030bacad73a032cd43.dll
-
Size
170KB
-
MD5
7390f7a75d76c89e9310b66ff3802e1b
-
SHA1
0be241b2f1329350f0c518b20a301ea3d58bf522
-
SHA256
b1976f40c9354ea8a9a61070c57cd8c0fcaa8db6c9931d030bacad73a032cd43
-
SHA512
f4bd176465fef56f9079520f2947f785bcca577bfd47d9171406cebfbd023094d21c1a34c2b713cb36abd2d05d2d754c80df9a0395f134e9ef7b6d24c6ce704c
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1496-115-0x0000000073F10000-0x0000000073F40000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1252 1496 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1252 WerFault.exe Token: SeBackupPrivilege 1252 WerFault.exe Token: SeDebugPrivilege 1252 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 488 wrote to memory of 1496 488 rundll32.exe 69 PID 488 wrote to memory of 1496 488 rundll32.exe 69 PID 488 wrote to memory of 1496 488 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1976f40c9354ea8a9a61070c57cd8c0fcaa8db6c9931d030bacad73a032cd43.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1976f40c9354ea8a9a61070c57cd8c0fcaa8db6c9931d030bacad73a032cd43.dll,#12⤵PID:1496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-