Analysis
-
max time kernel
18s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:14
Static task
static1
General
-
Target
3bbd1c9cd82093ec083a4cb914ebfd934cde9bd90629457bf8a18484430c5a48.dll
-
Size
174KB
-
MD5
3fb410d92ad4598149fb3628018a63a7
-
SHA1
4117a5b64ebebad09d5500c5f80d6ce82eaf8101
-
SHA256
3bbd1c9cd82093ec083a4cb914ebfd934cde9bd90629457bf8a18484430c5a48
-
SHA512
796c863e4966cc0dde553054c17caa6b23d6ed2a0ba6498597545a9fd14926ba253a0cabe8901d21da78e2d3f84c390e2ef1a5d2c5dcd07d095cb3aa0157e589
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4000-115-0x0000000074480000-0x00000000744B0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2580 4000 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2580 WerFault.exe Token: SeBackupPrivilege 2580 WerFault.exe Token: SeDebugPrivilege 2580 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4056 wrote to memory of 4000 4056 rundll32.exe rundll32.exe PID 4056 wrote to memory of 4000 4056 rundll32.exe rundll32.exe PID 4056 wrote to memory of 4000 4056 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3bbd1c9cd82093ec083a4cb914ebfd934cde9bd90629457bf8a18484430c5a48.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3bbd1c9cd82093ec083a4cb914ebfd934cde9bd90629457bf8a18484430c5a48.dll,#12⤵PID:4000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 6523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580