Analysis
-
max time kernel
25s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:16
Static task
static1
General
-
Target
e61cd137b79b66476e496eedb0f9f45f36e94855f3f014e09bb5ff7cc5c23830.dll
-
Size
174KB
-
MD5
5ec5f8c6510ebdb5e657ba2257ba1019
-
SHA1
72be60edb83780e3ea0861d393592adc5f7c04d0
-
SHA256
e61cd137b79b66476e496eedb0f9f45f36e94855f3f014e09bb5ff7cc5c23830
-
SHA512
2f703461f734f53009167783713b64dc95055b7649ae83e57818e0bb1765771351d4fffd28898768d41aed34302f11ac70bd6c9d8d49b303408788a3189abb9a
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1028-115-0x00000000735F0000-0x0000000073620000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2964 1028 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2964 WerFault.exe Token: SeBackupPrivilege 2964 WerFault.exe Token: SeDebugPrivilege 2964 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 596 wrote to memory of 1028 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1028 596 rundll32.exe rundll32.exe PID 596 wrote to memory of 1028 596 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e61cd137b79b66476e496eedb0f9f45f36e94855f3f014e09bb5ff7cc5c23830.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e61cd137b79b66476e496eedb0f9f45f36e94855f3f014e09bb5ff7cc5c23830.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken