Analysis
-
max time kernel
19s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 12:06
Static task
static1
General
-
Target
9ccb6847bc2fef3a99e19b1e8a3054eb0aa5e4c7d7f88edcf6bcd32c8623f058.dll
-
Size
172KB
-
MD5
1b9aaa798255f0ab8c6598c57dc6b64f
-
SHA1
7ed94f8ccade8dd6d9f6471dd311f3e418dff50e
-
SHA256
9ccb6847bc2fef3a99e19b1e8a3054eb0aa5e4c7d7f88edcf6bcd32c8623f058
-
SHA512
0e3d33748c1b8bbbbef2f4aaed5e5f1e676a6236ad5f3e2850e58ae771185fb4145036bc6b94ec03fcfbae3aee18a76eb37d7e95d6bbe5562b8f2a85d59e5a48
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/684-115-0x0000000073B80000-0x0000000073BB0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 4068 684 WerFault.exe 49 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe 4068 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 4068 WerFault.exe Token: SeBackupPrivilege 4068 WerFault.exe Token: SeDebugPrivilege 4068 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3984 wrote to memory of 684 3984 rundll32.exe 49 PID 3984 wrote to memory of 684 3984 rundll32.exe 49 PID 3984 wrote to memory of 684 3984 rundll32.exe 49
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ccb6847bc2fef3a99e19b1e8a3054eb0aa5e4c7d7f88edcf6bcd32c8623f058.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ccb6847bc2fef3a99e19b1e8a3054eb0aa5e4c7d7f88edcf6bcd32c8623f058.dll,#12⤵PID:684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 6763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-