Analysis
-
max time kernel
16s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-06-2021 22:07
Static task
static1
General
-
Target
3ad1337e917555394932c271e50ef0c2d262ad92d9575215b4f407cb409c42ba.dll
-
Size
163KB
-
MD5
b7d48b8d98b19d9477b4d6057550cb16
-
SHA1
8d5fe9f9be239283a1e335964633387dd55303d9
-
SHA256
3ad1337e917555394932c271e50ef0c2d262ad92d9575215b4f407cb409c42ba
-
SHA512
35503363cc914fe85cf9ede6788ce5710530f334baa06cb32267b2fba664d5ea729035fa8675394898b077646e4685150109825ffa76a027ee0981373dbc3595
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
43.229.206.212:443
82.209.17.209:8172
162.241.209.225:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1808-115-0x0000000010000000-0x000000001002E000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3672 1808 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe 3672 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3672 WerFault.exe Token: SeBackupPrivilege 3672 WerFault.exe Token: SeDebugPrivilege 3672 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4044 wrote to memory of 1808 4044 rundll32.exe rundll32.exe PID 4044 wrote to memory of 1808 4044 rundll32.exe rundll32.exe PID 4044 wrote to memory of 1808 4044 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3ad1337e917555394932c271e50ef0c2d262ad92d9575215b4f407cb409c42ba.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3ad1337e917555394932c271e50ef0c2d262ad92d9575215b4f407cb409c42ba.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 7203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken