Analysis
-
max time kernel
26s -
max time network
94s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 11:30
Static task
static1
General
-
Target
f4d8027192223daf03be06779ccbcd8949e2c48e3805578854878a4127a72c50.dll
-
Size
170KB
-
MD5
aa35172af1a4e076186cd9032212b343
-
SHA1
51a9500f2448d526ffa69561b458a4a18feaf91e
-
SHA256
f4d8027192223daf03be06779ccbcd8949e2c48e3805578854878a4127a72c50
-
SHA512
d161eda1de52998eef9b24207166c3011f7204148b47450274daacb27922314e5024e028678549c258f16a4ece14cf0aa87e57e4bfde462a578cf810b206e9e7
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1052-115-0x00000000738F0000-0x0000000073920000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 196 1052 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 196 WerFault.exe Token: SeBackupPrivilege 196 WerFault.exe Token: SeDebugPrivilege 196 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 916 wrote to memory of 1052 916 rundll32.exe 68 PID 916 wrote to memory of 1052 916 rundll32.exe 68 PID 916 wrote to memory of 1052 916 rundll32.exe 68
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f4d8027192223daf03be06779ccbcd8949e2c48e3805578854878a4127a72c50.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f4d8027192223daf03be06779ccbcd8949e2c48e3805578854878a4127a72c50.dll,#12⤵PID:1052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196
-
-