Analysis
-
max time kernel
21s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-06-2021 23:55
Static task
static1
General
-
Target
112fa5041b7d771c41971536137042d725985e5c0131f4d4e1823e0347784359.dll
-
Size
174KB
-
MD5
94e5e0a1a3b160d1662370687183cd12
-
SHA1
de240acd957c85a041f8a938663700b5561b97d9
-
SHA256
112fa5041b7d771c41971536137042d725985e5c0131f4d4e1823e0347784359
-
SHA512
56a3b94025846711439ca2b6e863b0aaec75fe8b11f406fe587aae2d47ea4bc73a12bf105d671163532a0a42d1b47eec1326e5d2ba23da4e9f185489b269e061
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3976-115-0x0000000073620000-0x0000000073650000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2288 3976 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe 2288 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2288 WerFault.exe Token: SeBackupPrivilege 2288 WerFault.exe Token: SeDebugPrivilege 2288 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 644 wrote to memory of 3976 644 rundll32.exe rundll32.exe PID 644 wrote to memory of 3976 644 rundll32.exe rundll32.exe PID 644 wrote to memory of 3976 644 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\112fa5041b7d771c41971536137042d725985e5c0131f4d4e1823e0347784359.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\112fa5041b7d771c41971536137042d725985e5c0131f4d4e1823e0347784359.dll,#12⤵PID:3976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288