Analysis
-
max time kernel
25s -
max time network
86s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:27
Static task
static1
General
-
Target
16bea185d8ea3a385b97d5b50dbc401e01cc2cfd8d8702ba6f68ecdb33622430.dll
-
Size
174KB
-
MD5
dd35afa014ae304e3ac69613b6ff7cf0
-
SHA1
5e1ec2c2793d52d85ef9a6c9eedfe23e14c33e8d
-
SHA256
16bea185d8ea3a385b97d5b50dbc401e01cc2cfd8d8702ba6f68ecdb33622430
-
SHA512
73320a3fe2266a131d256c6e1005eb91f1f67e4afeb3ba2ecd52e1bebb349dff0a9fc4982d61a9a8f93f43dfa23e8c3e729854840469e95f7a1bce5db86cc563
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/836-115-0x00000000744D0000-0x0000000074500000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1020 836 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe 1020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1020 WerFault.exe Token: SeBackupPrivilege 1020 WerFault.exe Token: SeDebugPrivilege 1020 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 628 wrote to memory of 836 628 rundll32.exe rundll32.exe PID 628 wrote to memory of 836 628 rundll32.exe rundll32.exe PID 628 wrote to memory of 836 628 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16bea185d8ea3a385b97d5b50dbc401e01cc2cfd8d8702ba6f68ecdb33622430.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16bea185d8ea3a385b97d5b50dbc401e01cc2cfd8d8702ba6f68ecdb33622430.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken