Analysis
-
max time kernel
28s -
max time network
89s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:40
Static task
static1
General
-
Target
d66ea0f1cd0b354245960d539d7665927506fcbb893a7743af8188737de33647.dll
-
Size
170KB
-
MD5
f22b55b1d8b15bedddf8f8f74c247630
-
SHA1
4bf8a69bd493b2a97df745f10f708c2e3aed1538
-
SHA256
d66ea0f1cd0b354245960d539d7665927506fcbb893a7743af8188737de33647
-
SHA512
8ac2d19a17376999b4b4267576400537c81d97245c62dc094ed563dec6cc0e5ebe74c7aff12123cb348e53e8eaf1ed731a27f0757a94cb7f4024bf01c520fdf3
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3676 created 2180 3676 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/2180-115-0x0000000074350000-0x000000007437F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3676 2180 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe 3676 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3676 WerFault.exe Token: SeBackupPrivilege 3676 WerFault.exe Token: SeDebugPrivilege 3676 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 740 wrote to memory of 2180 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 2180 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 2180 740 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d66ea0f1cd0b354245960d539d7665927506fcbb893a7743af8188737de33647.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d66ea0f1cd0b354245960d539d7665927506fcbb893a7743af8188737de33647.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken