Analysis
-
max time kernel
22s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:21
Static task
static1
General
-
Target
fac37d736d05a4311a2b41877cdf5da53c3a5a4bf1373325ca6db2b72f672b72.dll
-
Size
174KB
-
MD5
2c40260cfa90bfe815711b4aec7ed69c
-
SHA1
f1afe5720fb291fdc4c08d44c4af0ff2159ce980
-
SHA256
fac37d736d05a4311a2b41877cdf5da53c3a5a4bf1373325ca6db2b72f672b72
-
SHA512
60eaf1d386b5826f84f13c0cc8971684257bfaba19d13d5870cb87356110cccd7a80db287a44f0f8b3ee125c3df1d0b415c267f7ce15d52ed98eb89a7252d18d
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/828-115-0x00000000735F0000-0x0000000073620000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3196 828 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe 3196 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3196 WerFault.exe Token: SeBackupPrivilege 3196 WerFault.exe Token: SeDebugPrivilege 3196 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 596 wrote to memory of 828 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 828 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 828 596 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fac37d736d05a4311a2b41877cdf5da53c3a5a4bf1373325ca6db2b72f672b72.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fac37d736d05a4311a2b41877cdf5da53c3a5a4bf1373325ca6db2b72f672b72.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken