Analysis
-
max time kernel
23s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
975b9b0e22925662e9406d04cdb470fc9cd58583628cfc3449a11ec28e9940b3.dll
-
Size
174KB
-
MD5
4d175cb9787096d7e4c1af457eadbdca
-
SHA1
93f6f3af105d066f349ad68b45617c51d56c2347
-
SHA256
975b9b0e22925662e9406d04cdb470fc9cd58583628cfc3449a11ec28e9940b3
-
SHA512
e85d25ffe0804abce8e7ba46f2107ac947375b59d28ab0b82bf2b58ea8f1b84e9e785644e14603568c9329c0b9c401cdd633ba14dbc309ead11a6d25a5c07cb5
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4824-115-0x0000000073880000-0x00000000738B0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 352 4824 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe 352 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 352 WerFault.exe Token: SeBackupPrivilege 352 WerFault.exe Token: SeDebugPrivilege 352 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4804 wrote to memory of 4824 4804 rundll32.exe rundll32.exe PID 4804 wrote to memory of 4824 4804 rundll32.exe rundll32.exe PID 4804 wrote to memory of 4824 4804 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\975b9b0e22925662e9406d04cdb470fc9cd58583628cfc3449a11ec28e9940b3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\975b9b0e22925662e9406d04cdb470fc9cd58583628cfc3449a11ec28e9940b3.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken