Analysis
-
max time kernel
24s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:12
Static task
static1
General
-
Target
555c0319d988219da52ca6716d523c1504a51b1dc6135f2dbba9c36cc6a20356.dll
-
Size
174KB
-
MD5
520f1879c57f46fbbea6ea8a0358c02b
-
SHA1
db1f45ddb484e1306947c785ec517162365892a5
-
SHA256
555c0319d988219da52ca6716d523c1504a51b1dc6135f2dbba9c36cc6a20356
-
SHA512
d3b00c837c2cd013cbdf186f1ba1ec91129e13a54286687268cac0bbe7de69ce216dce93f9c9b601b671a4ccf664288fc7ac210ab49f5af2a192bd817bbdc689
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1276-115-0x0000000073ED0000-0x0000000073F00000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2428 1276 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe 2428 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2428 WerFault.exe Token: SeBackupPrivilege 2428 WerFault.exe Token: SeDebugPrivilege 2428 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 852 wrote to memory of 1276 852 rundll32.exe rundll32.exe PID 852 wrote to memory of 1276 852 rundll32.exe rundll32.exe PID 852 wrote to memory of 1276 852 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\555c0319d988219da52ca6716d523c1504a51b1dc6135f2dbba9c36cc6a20356.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\555c0319d988219da52ca6716d523c1504a51b1dc6135f2dbba9c36cc6a20356.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken