Analysis
-
max time kernel
17s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 16:17
Static task
static1
General
-
Target
20cfb7261b4b9a6b7dfa96d248b3d2444a4aa712ffce804102b72f0f2276766e.dll
-
Size
172KB
-
MD5
ead70c421880021a2ae0be1206103f58
-
SHA1
f1d2b334df28e0af15d79f49de27c8b37d863a48
-
SHA256
20cfb7261b4b9a6b7dfa96d248b3d2444a4aa712ffce804102b72f0f2276766e
-
SHA512
4b9b1ea0f88e4a61154935012dadd89707f9fb563b44ee824ccdac943165ac61e73bcaf28e314280f20619fab20d07b93f79d7bf09e457031e0968e03ff46cc5
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3736-115-0x0000000073D70000-0x0000000073DA0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3476 3736 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3476 WerFault.exe Token: SeBackupPrivilege 3476 WerFault.exe Token: SeDebugPrivilege 3476 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3768 wrote to memory of 3736 3768 rundll32.exe 70 PID 3768 wrote to memory of 3736 3768 rundll32.exe 70 PID 3768 wrote to memory of 3736 3768 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20cfb7261b4b9a6b7dfa96d248b3d2444a4aa712ffce804102b72f0f2276766e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20cfb7261b4b9a6b7dfa96d248b3d2444a4aa712ffce804102b72f0f2276766e.dll,#12⤵PID:3736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-