Analysis
-
max time kernel
21s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:11
Static task
static1
General
-
Target
d10bf9308283ce34766580ab69a992cc9d371b82ed5dc0e28159597e1b500c17.dll
-
Size
174KB
-
MD5
0930b8545408592a02a128cbd31d1149
-
SHA1
0f8d6240e8aa7219c478800c8d2950e31b30aadc
-
SHA256
d10bf9308283ce34766580ab69a992cc9d371b82ed5dc0e28159597e1b500c17
-
SHA512
f9bee756e9474fde693b0ec2907b0028efbe80d2e52ecd6b7e37091da3959412a9009cfd19a206343714ea0b0d1c9d5baef961fff8c892b9aaefa459adfeac12
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1168-115-0x0000000073F10000-0x0000000073F40000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2680 1168 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2680 WerFault.exe Token: SeBackupPrivilege 2680 WerFault.exe Token: SeDebugPrivilege 2680 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 472 wrote to memory of 1168 472 rundll32.exe rundll32.exe PID 472 wrote to memory of 1168 472 rundll32.exe rundll32.exe PID 472 wrote to memory of 1168 472 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d10bf9308283ce34766580ab69a992cc9d371b82ed5dc0e28159597e1b500c17.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d10bf9308283ce34766580ab69a992cc9d371b82ed5dc0e28159597e1b500c17.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken