Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:35
Static task
static1
General
-
Target
ea519d5fb47698af9fa420e72e45778000436e275f59795a5e96a40a5dc71988.dll
-
Size
174KB
-
MD5
5ef59a0a49256221ca9dc1626b7fc173
-
SHA1
85e4d3151fb61d1adc7f8b3016267a347bf38a47
-
SHA256
ea519d5fb47698af9fa420e72e45778000436e275f59795a5e96a40a5dc71988
-
SHA512
40d6f2907a713a1214c4f084dd0295d72e2c7e1efcc5d920e2cedc75d433441281888e658be9cb7d5bd244450635ecb15b1f17fb12cb1c6d3c893023be79de84
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/908-115-0x0000000074440000-0x0000000074470000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2016 908 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe 2016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2016 WerFault.exe Token: SeBackupPrivilege 2016 WerFault.exe Token: SeDebugPrivilege 2016 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 656 wrote to memory of 908 656 rundll32.exe rundll32.exe PID 656 wrote to memory of 908 656 rundll32.exe rundll32.exe PID 656 wrote to memory of 908 656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea519d5fb47698af9fa420e72e45778000436e275f59795a5e96a40a5dc71988.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea519d5fb47698af9fa420e72e45778000436e275f59795a5e96a40a5dc71988.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken