Analysis
-
max time kernel
26s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 02:59
Static task
static1
General
-
Target
0f0261ba6f28dc7fdb71b4032a4eaa3d1c6cb4c901f024fe170373d7d3513a77.dll
-
Size
174KB
-
MD5
d098ddf4f72545cb2eda16a4340518c2
-
SHA1
05bdafaedc09bca16749cd9585af7ca86c92135c
-
SHA256
0f0261ba6f28dc7fdb71b4032a4eaa3d1c6cb4c901f024fe170373d7d3513a77
-
SHA512
b477f3128d37416de20625cc40ab900f31856d666a84c3d95b85aa74741fe7ef7d51fd11944b072be70e3bdda0faf14d0d9b7967bbf317d14958e173a1d88c52
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1492-115-0x0000000073C70000-0x0000000073CA0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2176 1492 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2176 WerFault.exe Token: SeBackupPrivilege 2176 WerFault.exe Token: SeDebugPrivilege 2176 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 708 wrote to memory of 1492 708 rundll32.exe rundll32.exe PID 708 wrote to memory of 1492 708 rundll32.exe rundll32.exe PID 708 wrote to memory of 1492 708 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f0261ba6f28dc7fdb71b4032a4eaa3d1c6cb4c901f024fe170373d7d3513a77.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f0261ba6f28dc7fdb71b4032a4eaa3d1c6cb4c901f024fe170373d7d3513a77.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken