Analysis
-
max time kernel
18s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-08-2021 06:30
Static task
static1
General
-
Target
260f418b2b8b071a44b6de2ca53f2e1b2b2ee0d8c8371bf0ab23e445ecf92dfc.dll
-
Size
184KB
-
MD5
6186f4d41087246aa55a28071dfc47ab
-
SHA1
6f66d93c5740a32a2c3e37ce555b2e183f07539f
-
SHA256
260f418b2b8b071a44b6de2ca53f2e1b2b2ee0d8c8371bf0ab23e445ecf92dfc
-
SHA512
78a2bf95f4a9034b8ce9fc51165fa2bd62c610b97d5fce37f5ef85820bd9f5a5f0f3e8cae29ee95635401a1b99d4db859d732778cf30b204b73a8a155a579b9f
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/500-115-0x0000000073DE0000-0x0000000073E10000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3476 500 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3476 WerFault.exe Token: SeBackupPrivilege 3476 WerFault.exe Token: SeDebugPrivilege 3476 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3944 wrote to memory of 500 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 500 3944 rundll32.exe rundll32.exe PID 3944 wrote to memory of 500 3944 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\260f418b2b8b071a44b6de2ca53f2e1b2b2ee0d8c8371bf0ab23e445ecf92dfc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\260f418b2b8b071a44b6de2ca53f2e1b2b2ee0d8c8371bf0ab23e445ecf92dfc.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken