Analysis
-
max time kernel
24s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:35
Static task
static1
General
-
Target
00d1201705b3b8c398f061497ade84bb5b3509bbdcda4bf1a75b8a011a465200.dll
-
Size
174KB
-
MD5
fc900158575c3012abf57b93e1dd9b54
-
SHA1
7b6136b7268fdf24dbfc9d98e7fc4dbaacd70d51
-
SHA256
00d1201705b3b8c398f061497ade84bb5b3509bbdcda4bf1a75b8a011a465200
-
SHA512
8ea48e900c47afc807926793034896a4b922dc4ca41aff6ebf56afc6400129f104dadbb76fe8ec60408568f9b0e57f4a2234f6480835ba39f49adc594de18ac4
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3148-115-0x0000000073890000-0x00000000738C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1528 3148 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1528 WerFault.exe Token: SeBackupPrivilege 1528 WerFault.exe Token: SeDebugPrivilege 1528 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2988 wrote to memory of 3148 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 3148 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 3148 2988 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00d1201705b3b8c398f061497ade84bb5b3509bbdcda4bf1a75b8a011a465200.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00d1201705b3b8c398f061497ade84bb5b3509bbdcda4bf1a75b8a011a465200.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken