Analysis
-
max time kernel
18s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 15:38
Static task
static1
General
-
Target
9610892c6751205b94f6a24a1e1fab87344ab4fe3fddc7634918072203d53952.dll
-
Size
170KB
-
MD5
92d09d234544f4f145164d09f121fa8f
-
SHA1
675778d235a2e64aedbdeeac20e67b15dee02b3d
-
SHA256
9610892c6751205b94f6a24a1e1fab87344ab4fe3fddc7634918072203d53952
-
SHA512
9032b28c8b927b052cba4602f84987af1d069b6b22eae7b542f8063722659919bb766aaeb37a2d3ac9f0f744ad81feea047795864fa6ef80ec11205497bd5b64
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3704-116-0x0000000073DE0000-0x0000000073E10000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 4024 3704 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe 4024 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 4024 WerFault.exe Token: SeBackupPrivilege 4024 WerFault.exe Token: SeDebugPrivilege 4024 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3840 wrote to memory of 3704 3840 rundll32.exe 68 PID 3840 wrote to memory of 3704 3840 rundll32.exe 68 PID 3840 wrote to memory of 3704 3840 rundll32.exe 68
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9610892c6751205b94f6a24a1e1fab87344ab4fe3fddc7634918072203d53952.dll,#11⤵PID:3704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 6802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9610892c6751205b94f6a24a1e1fab87344ab4fe3fddc7634918072203d53952.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3840