Analysis
-
max time kernel
18s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:13
Static task
static1
General
-
Target
67108642ff6b61f92146234414c1a657c0caa2882548bc9ef6d8e02304dae410.dll
-
Size
174KB
-
MD5
b08fe5cb6d276dda8a801f7f5a80c9a2
-
SHA1
4d665e94b5027d34cf90c6d3a3e604c815c93e2e
-
SHA256
67108642ff6b61f92146234414c1a657c0caa2882548bc9ef6d8e02304dae410
-
SHA512
c85c72a835f04ffc91b3ce3daa8f5576af2d3202e299a1b4aaa82573253a799c0b416e616b09dc5c6bb9799161fe8ebad4fbb50273bdbf322ca2580c277cf588
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3764-115-0x00000000741E0000-0x0000000074210000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2764 3764 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2764 WerFault.exe Token: SeBackupPrivilege 2764 WerFault.exe Token: SeDebugPrivilege 2764 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3188 wrote to memory of 3764 3188 rundll32.exe rundll32.exe PID 3188 wrote to memory of 3764 3188 rundll32.exe rundll32.exe PID 3188 wrote to memory of 3764 3188 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\67108642ff6b61f92146234414c1a657c0caa2882548bc9ef6d8e02304dae410.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\67108642ff6b61f92146234414c1a657c0caa2882548bc9ef6d8e02304dae410.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken