Analysis
-
max time kernel
25s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:35
Static task
static1
General
-
Target
cc5528a966751eed9752be3fa00fe28fb7de2029c92da142f0ac354301320e35.dll
-
Size
174KB
-
MD5
dfd87654a75ff8421026b52426716e16
-
SHA1
efa641268649a27bc875208cd02f362850ce9574
-
SHA256
cc5528a966751eed9752be3fa00fe28fb7de2029c92da142f0ac354301320e35
-
SHA512
c9f0be6994f03272bea6641e6781a9ea508739214dbdad1580d9cd7c4474d0ee7352be526b5cc71a434886fd20ce0d470f21e8dda3479a6c48699c6bafc9cf5e
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1644-115-0x0000000073990000-0x00000000739C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3828 1644 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe 3828 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3828 WerFault.exe Token: SeBackupPrivilege 3828 WerFault.exe Token: SeDebugPrivilege 3828 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1400 wrote to memory of 1644 1400 rundll32.exe rundll32.exe PID 1400 wrote to memory of 1644 1400 rundll32.exe rundll32.exe PID 1400 wrote to memory of 1644 1400 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cc5528a966751eed9752be3fa00fe28fb7de2029c92da142f0ac354301320e35.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cc5528a966751eed9752be3fa00fe28fb7de2029c92da142f0ac354301320e35.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken