Analysis
-
max time kernel
18s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 02:49
Static task
static1
General
-
Target
a3c890dc93fa3a3fb33f59d80d85e1b9926a9c3622ec7e053f831c415a30802f.dll
-
Size
174KB
-
MD5
96e2f59e49b550a757d201a68abee6a3
-
SHA1
f7063467a1b5399c750913b81a4894e9e68bf01d
-
SHA256
a3c890dc93fa3a3fb33f59d80d85e1b9926a9c3622ec7e053f831c415a30802f
-
SHA512
6dd97632aba3fa1915a685e607849237193f93985c959cecb0142b73b6589d937dca3425e20a78ab4a4f81074af47ba7acafbb87998469a4672a78946e9a803d
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3264-115-0x0000000073A10000-0x0000000073A40000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1300 3264 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe 1300 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1300 WerFault.exe Token: SeBackupPrivilege 1300 WerFault.exe Token: SeDebugPrivilege 1300 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3896 wrote to memory of 3264 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3264 3896 rundll32.exe rundll32.exe PID 3896 wrote to memory of 3264 3896 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3c890dc93fa3a3fb33f59d80d85e1b9926a9c3622ec7e053f831c415a30802f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3c890dc93fa3a3fb33f59d80d85e1b9926a9c3622ec7e053f831c415a30802f.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 6523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken