Analysis
-
max time kernel
23s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
7f8bdba39477d6b3e030cc2476bb791b7b3641091fe906cbddfb10a18ce487ec.dll
-
Size
174KB
-
MD5
8a555638c82447fcf7ffd00ccfaccd02
-
SHA1
05b294cacd83bbe97dea3b0c769c3bafe2652a47
-
SHA256
7f8bdba39477d6b3e030cc2476bb791b7b3641091fe906cbddfb10a18ce487ec
-
SHA512
702e1bc9a17630c9333b0699776d3de4144670078cf8d055225bac4856ddcfbe593ba5d2c27a49b0a706263c39e6470e76ab2c126fd288d063b1ab1614cb0da5
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/504-115-0x0000000073A90000-0x0000000073AC0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3328 504 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe 3328 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3328 WerFault.exe Token: SeBackupPrivilege 3328 WerFault.exe Token: SeDebugPrivilege 3328 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 512 wrote to memory of 504 512 rundll32.exe rundll32.exe PID 512 wrote to memory of 504 512 rundll32.exe rundll32.exe PID 512 wrote to memory of 504 512 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f8bdba39477d6b3e030cc2476bb791b7b3641091fe906cbddfb10a18ce487ec.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f8bdba39477d6b3e030cc2476bb791b7b3641091fe906cbddfb10a18ce487ec.dll,#12⤵PID:504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328