Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:13
Static task
static1
General
-
Target
efe35e598ab3a917826801409b601a9407b4b50540c3303daf319e51b37b32d0.dll
-
Size
170KB
-
MD5
0c11371697e8dba51059bffeeb42673d
-
SHA1
08233d8e56153241e1312a04547fd1bd7079a5c8
-
SHA256
efe35e598ab3a917826801409b601a9407b4b50540c3303daf319e51b37b32d0
-
SHA512
b15e4432d65f24a1943e5f19f2ceaa2edd215c4c4ba00d4c9617a0dedf3472bdcf7f7710a3f29a351493e2d724b2edfa011ed0c82223c2589dec61b0f9ce1372
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/2856-115-0x00000000741E0000-0x0000000074210000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3808 2856 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe 3808 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3808 WerFault.exe Token: SeBackupPrivilege 3808 WerFault.exe Token: SeDebugPrivilege 3808 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2856 1832 rundll32.exe 70 PID 1832 wrote to memory of 2856 1832 rundll32.exe 70 PID 1832 wrote to memory of 2856 1832 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\efe35e598ab3a917826801409b601a9407b4b50540c3303daf319e51b37b32d0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\efe35e598ab3a917826801409b601a9407b4b50540c3303daf319e51b37b32d0.dll,#12⤵PID:2856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-