Analysis
-
max time kernel
17s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:16
Static task
static1
General
-
Target
dc4c713c8d80a1a1105a0faa843b01e838e4ee3208edd4d98f14a322d91e6591.dll
-
Size
174KB
-
MD5
61831eb724f3328ade9c8a82339a9551
-
SHA1
1558a128d8238c991646fa0d21f722ef38cc979a
-
SHA256
dc4c713c8d80a1a1105a0faa843b01e838e4ee3208edd4d98f14a322d91e6591
-
SHA512
e44fca1969091b64355b172f13f2c29a5258eea0e5dd0ae8a2032639071928fac4642378aa6a9fce78e718ed164021d2953ac7861eee81187ad09e934f7d1ff4
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1628-115-0x00000000736D0000-0x0000000073700000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1296 1628 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe 1296 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1296 WerFault.exe Token: SeBackupPrivilege 1296 WerFault.exe Token: SeDebugPrivilege 1296 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3176 wrote to memory of 1628 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 1628 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 1628 3176 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc4c713c8d80a1a1105a0faa843b01e838e4ee3208edd4d98f14a322d91e6591.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc4c713c8d80a1a1105a0faa843b01e838e4ee3208edd4d98f14a322d91e6591.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken