Analysis
-
max time kernel
18s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:16
Static task
static1
General
-
Target
fa7c61ed88bc0a8e0e4db95b1d20b62d4dec0563fe4d1a40d3499a23aacf39cb.dll
-
Size
174KB
-
MD5
5c7ac084d3c0c3845284cb6396656094
-
SHA1
a3293b47b36f3c9317251c2fd612cd494eb6538c
-
SHA256
fa7c61ed88bc0a8e0e4db95b1d20b62d4dec0563fe4d1a40d3499a23aacf39cb
-
SHA512
f88a2e8792da94f5db98d551c6583781f0acc15c90a8bec2c4f2c2aa40b89df83d92276eb6213f054206874a826d4a05a79a8c508f328e0215242813189f33d9
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4456-115-0x0000000074290000-0x00000000742C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4016 4456 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe 4016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4016 WerFault.exe Token: SeBackupPrivilege 4016 WerFault.exe Token: SeDebugPrivilege 4016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4444 wrote to memory of 4456 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4456 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4456 4444 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa7c61ed88bc0a8e0e4db95b1d20b62d4dec0563fe4d1a40d3499a23aacf39cb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa7c61ed88bc0a8e0e4db95b1d20b62d4dec0563fe4d1a40d3499a23aacf39cb.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken