Analysis
-
max time kernel
18s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:23
Static task
static1
General
-
Target
21e1461ae1adee83c24f94f49f0d3acde426bbd8c02072d5a19e307b57538a44.dll
-
Size
170KB
-
MD5
1aebbdf19e3d579bee405fb370b021dd
-
SHA1
8ee84ef87aa4f243f914aa27951a258a620e153b
-
SHA256
21e1461ae1adee83c24f94f49f0d3acde426bbd8c02072d5a19e307b57538a44
-
SHA512
17fab87fe4c01fcaec5616302c71ada093b0c76742e7c47c32803381dc4cee51f1ee892b28e202f6c418fb34791fb363ccf62e3ab7297fa99c6dbe9c0e382d81
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3024-115-0x00000000736B0000-0x00000000736E0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1008 3024 WerFault.exe 52 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1008 WerFault.exe Token: SeBackupPrivilege 1008 WerFault.exe Token: SeDebugPrivilege 1008 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3680 wrote to memory of 3024 3680 rundll32.exe 52 PID 3680 wrote to memory of 3024 3680 rundll32.exe 52 PID 3680 wrote to memory of 3024 3680 rundll32.exe 52
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21e1461ae1adee83c24f94f49f0d3acde426bbd8c02072d5a19e307b57538a44.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21e1461ae1adee83c24f94f49f0d3acde426bbd8c02072d5a19e307b57538a44.dll,#12⤵PID:3024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 6763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-