Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
3c7cd1f8dab50f2332b60103a2284a14779591264533790844cf85e899a6836b.dll
-
Size
174KB
-
MD5
373671a502aab9c2ae9955eadbffd561
-
SHA1
a66ce38a6aee22aaab67649e11f3fe9f7f1c87f9
-
SHA256
3c7cd1f8dab50f2332b60103a2284a14779591264533790844cf85e899a6836b
-
SHA512
1fc52477c5b2b5fddb93d4918cfed5fa281e3a09ce825ee42feb6467c8f0c3a0b9a090345ed741cfee8c0668c30029fae922639cdf63bcee819f837869fd08fc
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3932-115-0x0000000074090000-0x00000000740C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 188 3932 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe 188 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 188 WerFault.exe Token: SeBackupPrivilege 188 WerFault.exe Token: SeDebugPrivilege 188 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3540 wrote to memory of 3932 3540 rundll32.exe rundll32.exe PID 3540 wrote to memory of 3932 3540 rundll32.exe rundll32.exe PID 3540 wrote to memory of 3932 3540 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7cd1f8dab50f2332b60103a2284a14779591264533790844cf85e899a6836b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7cd1f8dab50f2332b60103a2284a14779591264533790844cf85e899a6836b.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 6523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken