Analysis
-
max time kernel
17s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:12
Static task
static1
General
-
Target
13c45fd8886d5c8fe570154063f58db1f6381e37bbce563762bd03e0c501db52.dll
-
Size
174KB
-
MD5
445209dbd05ff7d56513be5071552162
-
SHA1
a507d112640ce5fffafe0a770c84da60a5ed3d3c
-
SHA256
13c45fd8886d5c8fe570154063f58db1f6381e37bbce563762bd03e0c501db52
-
SHA512
a610385edb3bd28d66e0669a2d9409b980193d50bd9e63d504689bd6d3e86089cdcf8136a14f447ea42c017821e389342aafdd936dcd94453e13080f1fef30b2
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3700-115-0x00000000739D0000-0x0000000073A00000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3384 3700 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3384 WerFault.exe Token: SeBackupPrivilege 3384 WerFault.exe Token: SeDebugPrivilege 3384 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3744 wrote to memory of 3700 3744 rundll32.exe rundll32.exe PID 3744 wrote to memory of 3700 3744 rundll32.exe rundll32.exe PID 3744 wrote to memory of 3700 3744 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13c45fd8886d5c8fe570154063f58db1f6381e37bbce563762bd03e0c501db52.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13c45fd8886d5c8fe570154063f58db1f6381e37bbce563762bd03e0c501db52.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken