Analysis
-
max time kernel
16s -
max time network
78s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-06-2021 00:09
Static task
static1
General
-
Target
64926da007bad95cdb3f3c0d1a18907b07858ed2ab73c7c0a9a6f073396a259e.dll
-
Size
163KB
-
MD5
544c910f5becc4a04aaa7867016f0366
-
SHA1
63a76a1c6371f8b7cfe830af75dadfcd9c37293a
-
SHA256
64926da007bad95cdb3f3c0d1a18907b07858ed2ab73c7c0a9a6f073396a259e
-
SHA512
00f371ae61ba0f0e6b3e52e265a41e0d323adc1f23ffb3d171ea406073541800b2614d923ae41eb9ec46cded51c52198194e89b3593167b11b323154310de13f
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
43.229.206.212:443
82.209.17.209:8172
162.241.209.225:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/424-115-0x0000000010000000-0x000000001002E000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3676 424 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3676 WerFault.exe Token: SeBackupPrivilege 3676 WerFault.exe Token: SeDebugPrivilege 3676 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3100 wrote to memory of 424 3100 rundll32.exe rundll32.exe PID 3100 wrote to memory of 424 3100 rundll32.exe rundll32.exe PID 3100 wrote to memory of 424 3100 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\64926da007bad95cdb3f3c0d1a18907b07858ed2ab73c7c0a9a6f073396a259e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\64926da007bad95cdb3f3c0d1a18907b07858ed2ab73c7c0a9a6f073396a259e.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 7123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken