Analysis
-
max time kernel
18s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 01:26
Static task
static1
General
-
Target
ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f.dll
-
Size
174KB
-
MD5
a4a8cb379b3a40014fa35635b3c5bcb3
-
SHA1
78ff459cb487e65319d445d32b5c7b70558fdeb8
-
SHA256
ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f
-
SHA512
49835c6033bef20095016adfa6cd59fc70e04efe61e8ce461dbd506ad240f576c8de30d878cbe7057060e0c2e3c3327d2213a3e957cd42d5caf1f55763fe1355
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3872-115-0x0000000073A10000-0x0000000073A40000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3076 3872 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3076 WerFault.exe Token: SeBackupPrivilege 3076 WerFault.exe Token: SeDebugPrivilege 3076 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3892 wrote to memory of 3872 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 3872 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 3872 3892 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac228de57dd2b0f554b350b97664c682681be76e372a32c2a130c819539b9b0f.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken