Analysis
-
max time kernel
19s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:18
Static task
static1
General
-
Target
7218ffe333c5bc8026c0f6fa8b98821d8d26d8dd322c95359556d1b70aa21e27.dll
-
Size
170KB
-
MD5
3a6df949e5d7d9e43982ef494d8bf850
-
SHA1
df3eaafa40b45014fd28eef73ff66a993151a9ed
-
SHA256
7218ffe333c5bc8026c0f6fa8b98821d8d26d8dd322c95359556d1b70aa21e27
-
SHA512
3e5b077677fddce52bfcf4204d32e40866ca74430a78396071212add797a1b9ecd3d189dff55dbc7b38e497835aa7b9a25af4f33035be3aeca84051b959cd7a5
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3224-115-0x0000000073660000-0x0000000073690000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1520 3224 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1520 WerFault.exe Token: SeBackupPrivilege 1520 WerFault.exe Token: SeDebugPrivilege 1520 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4008 wrote to memory of 3224 4008 rundll32.exe 72 PID 4008 wrote to memory of 3224 4008 rundll32.exe 72 PID 4008 wrote to memory of 3224 4008 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7218ffe333c5bc8026c0f6fa8b98821d8d26d8dd322c95359556d1b70aa21e27.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7218ffe333c5bc8026c0f6fa8b98821d8d26d8dd322c95359556d1b70aa21e27.dll,#12⤵PID:3224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 6883⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-