Analysis
-
max time kernel
17s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:11
Static task
static1
General
-
Target
71d0c8ad4f81d91a31495b90b7c6be002285bfd73d5d012f34fcc07740960d71.dll
-
Size
174KB
-
MD5
f449bbab5a1cef33b3dbb6594267ba66
-
SHA1
a55ab0b6668c1a19fabbe66258738cf78d7066d2
-
SHA256
71d0c8ad4f81d91a31495b90b7c6be002285bfd73d5d012f34fcc07740960d71
-
SHA512
ce19b85d390182ffaedcc83cb2a91797a3b76322f501eb9ae1fc60137eb233ce27250682296850ad0508f5fc76c322d9d8be7cb08142e70e2ff9572438161d8a
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/772-115-0x0000000073BF0000-0x0000000073C20000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1072 772 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe 1072 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1072 WerFault.exe Token: SeBackupPrivilege 1072 WerFault.exe Token: SeDebugPrivilege 1072 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3152 wrote to memory of 772 3152 rundll32.exe rundll32.exe PID 3152 wrote to memory of 772 3152 rundll32.exe rundll32.exe PID 3152 wrote to memory of 772 3152 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71d0c8ad4f81d91a31495b90b7c6be002285bfd73d5d012f34fcc07740960d71.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71d0c8ad4f81d91a31495b90b7c6be002285bfd73d5d012f34fcc07740960d71.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken