Analysis
-
max time kernel
17s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:09
Static task
static1
General
-
Target
1d37760ecc57201df1668e6a4eb9434ea2193c2c0c2209f020ce2b3956a33434.dll
-
Size
174KB
-
MD5
b24080c5ea1ae53af398e594eb5f5060
-
SHA1
f4c2028185f209282d0ec9c2729d00f0e657e373
-
SHA256
1d37760ecc57201df1668e6a4eb9434ea2193c2c0c2209f020ce2b3956a33434
-
SHA512
f8006f249b78370eb9bc793620354fa016cc72e20e2863d65572e8076010b559ca0a6cef69f5374e8dc320be0b74c89c3ca10312888eb47f25869ae232a78c82
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3932-115-0x0000000074090000-0x00000000740C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1548 3932 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1548 WerFault.exe Token: SeBackupPrivilege 1548 WerFault.exe Token: SeDebugPrivilege 1548 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3540 wrote to memory of 3932 3540 rundll32.exe rundll32.exe PID 3540 wrote to memory of 3932 3540 rundll32.exe rundll32.exe PID 3540 wrote to memory of 3932 3540 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d37760ecc57201df1668e6a4eb9434ea2193c2c0c2209f020ce2b3956a33434.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d37760ecc57201df1668e6a4eb9434ea2193c2c0c2209f020ce2b3956a33434.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 6563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken