Analysis
-
max time kernel
18s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
9fa7f4e5dd56409a07e28d271b89bfd45f483b6754e10f5be0df1a87e10e0ede.dll
-
Size
174KB
-
MD5
ba5e377532f1e54527c9db21565a211d
-
SHA1
bf4793a11c76c60399c1d5a4b4e93e25b0cfda69
-
SHA256
9fa7f4e5dd56409a07e28d271b89bfd45f483b6754e10f5be0df1a87e10e0ede
-
SHA512
f7adc2f14babda1616002c7bdbc351ba887cb56470f38bc9eebb5f2cf550431f452da6ba603dff0772149a167ad62eb96d36bd98b8a6a44592f6a944d36145cb
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4012-115-0x00000000755E0000-0x0000000075610000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1656 4012 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1656 WerFault.exe Token: SeBackupPrivilege 1656 WerFault.exe Token: SeDebugPrivilege 1656 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4080 wrote to memory of 4012 4080 rundll32.exe rundll32.exe PID 4080 wrote to memory of 4012 4080 rundll32.exe rundll32.exe PID 4080 wrote to memory of 4012 4080 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fa7f4e5dd56409a07e28d271b89bfd45f483b6754e10f5be0df1a87e10e0ede.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fa7f4e5dd56409a07e28d271b89bfd45f483b6754e10f5be0df1a87e10e0ede.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken