Analysis
-
max time kernel
22s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:13
Static task
static1
General
-
Target
b38fc28b9b2439b63c04ed44d80ed6cbb4aefa8dfbae93ed7934c1bd3282a130.dll
-
Size
174KB
-
MD5
5206f05ea399d9083f90556cd255d610
-
SHA1
dac75a15829ae6b4c96aff923aafe519211d8002
-
SHA256
b38fc28b9b2439b63c04ed44d80ed6cbb4aefa8dfbae93ed7934c1bd3282a130
-
SHA512
806d7be2e8a14bffca5d7a22384001146a39c2e2644a9fc97f3e3dd750f92502e4258d26020d4ea6809714f81a32c7455008bb97f5a42656bc4b833c97534473
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/964-115-0x0000000073550000-0x0000000073580000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2264 964 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe 2264 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2264 WerFault.exe Token: SeBackupPrivilege 2264 WerFault.exe Token: SeDebugPrivilege 2264 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 800 wrote to memory of 964 800 rundll32.exe rundll32.exe PID 800 wrote to memory of 964 800 rundll32.exe rundll32.exe PID 800 wrote to memory of 964 800 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b38fc28b9b2439b63c04ed44d80ed6cbb4aefa8dfbae93ed7934c1bd3282a130.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b38fc28b9b2439b63c04ed44d80ed6cbb4aefa8dfbae93ed7934c1bd3282a130.dll,#12⤵PID:964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264