Analysis
-
max time kernel
23s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:11
Static task
static1
General
-
Target
9fa06baf2855be823f528845437489c8ac4939ffa3ed05f1e9a584f5c567efb6.dll
-
Size
174KB
-
MD5
18c6eb627071649fad3d0805d5579ba3
-
SHA1
2dca277dd385d81c2c8f5a9d2b10116f22e73174
-
SHA256
9fa06baf2855be823f528845437489c8ac4939ffa3ed05f1e9a584f5c567efb6
-
SHA512
b2a79d88ea8c0b7e8c580666c6ae03b6cb0a5d39d964160a7144aa31d786690dd54619a50d3fb4169de45271372beb30d63bdcc24b27ac8f131c5932a5c7d73f
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1500-115-0x0000000074310000-0x0000000074340000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2208 1500 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe 2208 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2208 WerFault.exe Token: SeBackupPrivilege 2208 WerFault.exe Token: SeDebugPrivilege 2208 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 804 wrote to memory of 1500 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 1500 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 1500 804 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fa06baf2855be823f528845437489c8ac4939ffa3ed05f1e9a584f5c567efb6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fa06baf2855be823f528845437489c8ac4939ffa3ed05f1e9a584f5c567efb6.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken