Analysis
-
max time kernel
18s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-06-2021 23:34
Static task
static1
General
-
Target
4a829594e255648957a3b5acfbb7166d411d602c27377a4d456cd3762f641d32.dll
-
Size
174KB
-
MD5
273e85b905184a40605cfe8dd2cbaa0a
-
SHA1
0feaddb38b8a6723cb93b681621ef343c243b95a
-
SHA256
4a829594e255648957a3b5acfbb7166d411d602c27377a4d456cd3762f641d32
-
SHA512
0e4d4b9ba8fa3773f5fda9ce1e8d3bfe78760df1b03e07f33ce204447d83750df82b764c1862c403f7d28009bc2117782b4dbbd3ab2f3b5f1e6f7f0f5f5f9966
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3180-115-0x00000000736B0000-0x00000000736E0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1296 3180 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1296 WerFault.exe Token: SeBackupPrivilege 1296 WerFault.exe Token: SeDebugPrivilege 1296 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3656 wrote to memory of 3180 3656 rundll32.exe rundll32.exe PID 3656 wrote to memory of 3180 3656 rundll32.exe rundll32.exe PID 3656 wrote to memory of 3180 3656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a829594e255648957a3b5acfbb7166d411d602c27377a4d456cd3762f641d32.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a829594e255648957a3b5acfbb7166d411d602c27377a4d456cd3762f641d32.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 6563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken