Analysis
-
max time kernel
18s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:16
Static task
static1
General
-
Target
bd816cf7ad1427ca48deb5ccdff1e897f20baf63df35b4a7fd6e6bdf65c268fb.dll
-
Size
174KB
-
MD5
41ca40276052e59bd7ad543a255a58b7
-
SHA1
2f4ddb7419dfc8ab3aa1ea80137e88148317292c
-
SHA256
bd816cf7ad1427ca48deb5ccdff1e897f20baf63df35b4a7fd6e6bdf65c268fb
-
SHA512
afc5e2130f2b5de7c06ea1034f3c9e9b0859b709e6affbe78905a1c648425ecd86c2dbb17532a8847ea4f891290e03976c5db0e1ddb2208617040f9614e96ec4
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3580-115-0x0000000073DE0000-0x0000000073E10000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4056 3580 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4056 WerFault.exe Token: SeBackupPrivilege 4056 WerFault.exe Token: SeDebugPrivilege 4056 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3840 wrote to memory of 3580 3840 rundll32.exe rundll32.exe PID 3840 wrote to memory of 3580 3840 rundll32.exe rundll32.exe PID 3840 wrote to memory of 3580 3840 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd816cf7ad1427ca48deb5ccdff1e897f20baf63df35b4a7fd6e6bdf65c268fb.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd816cf7ad1427ca48deb5ccdff1e897f20baf63df35b4a7fd6e6bdf65c268fb.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken