Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 11:04
Static task
static1
General
-
Target
2ad58a1f0e12542ae554bfb65394cd43d23e06f0b51fa390823058da6c271295.dll
-
Size
170KB
-
MD5
240dfd103373194332a747d53ab86af6
-
SHA1
c4294849abc2a7240bad18ec3e8ebcd9a8325c3f
-
SHA256
2ad58a1f0e12542ae554bfb65394cd43d23e06f0b51fa390823058da6c271295
-
SHA512
1fca16aef1b5c6cf196ea94f1b00afc13a65b45aa5a90fdf1ff7c541af0fccf6c89e6d8572208c07c7cda25c9502921c541aa18fdcd2d27713f258f5b3479fb3
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/4052-115-0x0000000073F20000-0x0000000073F50000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 3804 4052 WerFault.exe 47 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe 3804 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3804 WerFault.exe Token: SeBackupPrivilege 3804 WerFault.exe Token: SeDebugPrivilege 3804 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2256 wrote to memory of 4052 2256 rundll32.exe 47 PID 2256 wrote to memory of 4052 2256 rundll32.exe 47 PID 2256 wrote to memory of 4052 2256 rundll32.exe 47
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ad58a1f0e12542ae554bfb65394cd43d23e06f0b51fa390823058da6c271295.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ad58a1f0e12542ae554bfb65394cd43d23e06f0b51fa390823058da6c271295.dll,#12⤵PID:4052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-