Analysis
-
max time kernel
18s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 15:28
Static task
static1
General
-
Target
ff42a8c156542587a6ab6527d0805d88b454a9cce0105f3f08b2b7ca1fbec10b.dll
-
Size
170KB
-
MD5
e561582cd061be9a50f2131c99799c56
-
SHA1
ea47b15a08a8ed8a352478e664c0d7a7451d399b
-
SHA256
ff42a8c156542587a6ab6527d0805d88b454a9cce0105f3f08b2b7ca1fbec10b
-
SHA512
d9262132fc6e1e86f73fb9e86be2f0924177b351a06d776343f97fb9c34928663d2f140c3b25a9bb83da418da3726101003b8a76b7e3b551eb2598876aef26f1
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/740-115-0x0000000073BF0000-0x0000000073C20000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3032 740 WerFault.exe 63 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe 3032 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3032 WerFault.exe Token: SeBackupPrivilege 3032 WerFault.exe Token: SeDebugPrivilege 3032 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3176 wrote to memory of 740 3176 rundll32.exe 63 PID 3176 wrote to memory of 740 3176 rundll32.exe 63 PID 3176 wrote to memory of 740 3176 rundll32.exe 63
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff42a8c156542587a6ab6527d0805d88b454a9cce0105f3f08b2b7ca1fbec10b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff42a8c156542587a6ab6527d0805d88b454a9cce0105f3f08b2b7ca1fbec10b.dll,#12⤵PID:740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-