Analysis
-
max time kernel
26s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:07
Static task
static1
General
-
Target
bdf2267599c0025c6804d9acf3c09003afae4427a72e35f9b47534affcdb5f27.dll
-
Size
174KB
-
MD5
034f0b25df5655e712f7197aa217fe03
-
SHA1
c503ad08328efeafa4d450c7398c10ec842885fb
-
SHA256
bdf2267599c0025c6804d9acf3c09003afae4427a72e35f9b47534affcdb5f27
-
SHA512
6898e2db5ef02682d29957d65bee4e6cbe509a233779c064cfb03b294467bcbb4f5671584ee6f53d52042a8d5d5dc05fec948d45593a7c25062268f8dc442f1e
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1124-115-0x0000000074310000-0x0000000074340000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1336 1124 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1336 WerFault.exe Token: SeBackupPrivilege 1336 WerFault.exe Token: SeDebugPrivilege 1336 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 900 wrote to memory of 1124 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 1124 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 1124 900 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bdf2267599c0025c6804d9acf3c09003afae4427a72e35f9b47534affcdb5f27.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bdf2267599c0025c6804d9acf3c09003afae4427a72e35f9b47534affcdb5f27.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken