Analysis
-
max time kernel
26s -
max time network
89s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15/06/2021, 15:46
Static task
static1
General
-
Target
b5714bcca34cedf65b05c46d7b7bf3647d677328ff2b0fb19a5a47888957c479.dll
-
Size
172KB
-
MD5
687505dfd8a81b7007e3e8e0a5355be6
-
SHA1
9a114a1a7c5e06efcb3f6afd7ea3b30391311d0c
-
SHA256
b5714bcca34cedf65b05c46d7b7bf3647d677328ff2b0fb19a5a47888957c479
-
SHA512
f130b8562d581b160e5ae40e52aa311075083a4fd09d3ca2973a7861016cb52b55a3a9313db1b86d316d4a81996320d7de3f681e61cf4c5ddb01d15a6d0410ba
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1028-115-0x0000000074350000-0x0000000074380000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 940 1028 WerFault.exe 69 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 940 WerFault.exe Token: SeBackupPrivilege 940 WerFault.exe Token: SeDebugPrivilege 940 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 740 wrote to memory of 1028 740 rundll32.exe 69 PID 740 wrote to memory of 1028 740 rundll32.exe 69 PID 740 wrote to memory of 1028 740 rundll32.exe 69
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5714bcca34cedf65b05c46d7b7bf3647d677328ff2b0fb19a5a47888957c479.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5714bcca34cedf65b05c46d7b7bf3647d677328ff2b0fb19a5a47888957c479.dll,#12⤵PID:1028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-