Analysis
-
max time kernel
17s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 15:20
Static task
static1
General
-
Target
31da7a176c4645fcb7e59b4c51ba1834ff6df14caafc70263c8f348af7f87e2f.dll
-
Size
170KB
-
MD5
af3a0ab02e0d6fbeb2390e545e13c7a3
-
SHA1
808cdb6515091948ff9b4fd92d67b459d0d37873
-
SHA256
31da7a176c4645fcb7e59b4c51ba1834ff6df14caafc70263c8f348af7f87e2f
-
SHA512
39bc59394c3d90cbe588eadf98c060c430bb2edb29221a37c1fe0150a41ba2bf321f0d5af7229e3db6946f350a7bc492454e1d3495eb3993d8090c11b94e709d
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/4468-115-0x0000000074290000-0x00000000742C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1016 4468 WerFault.exe 34 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1016 WerFault.exe Token: SeBackupPrivilege 1016 WerFault.exe Token: SeDebugPrivilege 1016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4444 wrote to memory of 4468 4444 rundll32.exe 34 PID 4444 wrote to memory of 4468 4444 rundll32.exe 34 PID 4444 wrote to memory of 4468 4444 rundll32.exe 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\31da7a176c4645fcb7e59b4c51ba1834ff6df14caafc70263c8f348af7f87e2f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\31da7a176c4645fcb7e59b4c51ba1834ff6df14caafc70263c8f348af7f87e2f.dll,#12⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-