Analysis
-
max time kernel
25s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:31
Static task
static1
General
-
Target
d1318a924cec814630d21482bfb7689c5a6cb64ac27f9ccd78df17680bc8742c.dll
-
Size
170KB
-
MD5
817188221b35a5b619b53231b6503d50
-
SHA1
714678480c3a56ef8bbe92bcc7005231e77710a2
-
SHA256
d1318a924cec814630d21482bfb7689c5a6cb64ac27f9ccd78df17680bc8742c
-
SHA512
8981caa4c7e592bf9a4f76d1dbb22bdcbee31f72ce24e4e60942d19c3fb41b4a9e1b7589bf3e2d567ad8a1ebff5ac1598d35fee81063ecebd13a8d1da5eed534
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1156-115-0x0000000073550000-0x0000000073580000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2236 1156 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe 2236 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2236 WerFault.exe Token: SeBackupPrivilege 2236 WerFault.exe Token: SeDebugPrivilege 2236 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 856 wrote to memory of 1156 856 rundll32.exe 69 PID 856 wrote to memory of 1156 856 rundll32.exe 69 PID 856 wrote to memory of 1156 856 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1318a924cec814630d21482bfb7689c5a6cb64ac27f9ccd78df17680bc8742c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1318a924cec814630d21482bfb7689c5a6cb64ac27f9ccd78df17680bc8742c.dll,#12⤵PID:1156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-