Analysis
-
max time kernel
20s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/06/2021, 12:04
Static task
static1
General
-
Target
42095a65f6b3969f545db4e968315e7c518b30f705aa3711a73e7f00d243f149.dll
-
Size
170KB
-
MD5
7fc3f71674092448572d65303103a665
-
SHA1
b44706e9bc1f44017bdf887c4f563175129a58ba
-
SHA256
42095a65f6b3969f545db4e968315e7c518b30f705aa3711a73e7f00d243f149
-
SHA512
47f0355761f80c9d47e02b4652b5351487800a438a598de2894bd69ca0872c405798e4f13320033536349563176de6de27e8dca27885c8a5c20e688852e3539e
Malware Config
Extracted
Family
dridex
Botnet
40112
C2
128.199.200.38:443
192.163.233.216:6601
43.229.206.244:4125
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/3260-115-0x0000000073860000-0x0000000073890000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 944 3260 WerFault.exe 48 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe 944 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 944 WerFault.exe Token: SeBackupPrivilege 944 WerFault.exe Token: SeDebugPrivilege 944 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2760 wrote to memory of 3260 2760 rundll32.exe 48 PID 2760 wrote to memory of 3260 2760 rundll32.exe 48 PID 2760 wrote to memory of 3260 2760 rundll32.exe 48
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42095a65f6b3969f545db4e968315e7c518b30f705aa3711a73e7f00d243f149.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42095a65f6b3969f545db4e968315e7c518b30f705aa3711a73e7f00d243f149.dll,#12⤵PID:3260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-