Analysis
-
max time kernel
24s -
max time network
93s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:25
Static task
static1
General
-
Target
9fc2b1fb10956b2c47b3c6b8f6d2cafe150430a533ee9655163ce28df0bbd105.dll
-
Size
170KB
-
MD5
cae7e9a812aa79658363220cdc518eca
-
SHA1
b341e9ab0470fba2568a3e0f20387f5cd633791f
-
SHA256
9fc2b1fb10956b2c47b3c6b8f6d2cafe150430a533ee9655163ce28df0bbd105
-
SHA512
b3282bc86222be90823413f19fa7ebcaf7f3ccffbab6ac72b530ef898e93fb804fc71c9fc2cf2fd67161e0a6594339ecca1858ba0b2c2d9630f09315d69be7c0
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1464-115-0x00000000738F0000-0x0000000073920000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2204 1464 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2204 WerFault.exe Token: SeBackupPrivilege 2204 WerFault.exe Token: SeDebugPrivilege 2204 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 860 wrote to memory of 1464 860 rundll32.exe 69 PID 860 wrote to memory of 1464 860 rundll32.exe 69 PID 860 wrote to memory of 1464 860 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fc2b1fb10956b2c47b3c6b8f6d2cafe150430a533ee9655163ce28df0bbd105.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fc2b1fb10956b2c47b3c6b8f6d2cafe150430a533ee9655163ce28df0bbd105.dll,#12⤵PID:1464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 6963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-