Analysis
-
max time kernel
24s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
744dc91773ed8445eab338eafb2dfc299c0c9a95bd5d8cc15fb4ca3568a58534.dll
-
Size
174KB
-
MD5
7093fe7be6598c49f97d36228776a1d9
-
SHA1
80c7325d04eb9d0790c9d071e14f82a09c8bb190
-
SHA256
744dc91773ed8445eab338eafb2dfc299c0c9a95bd5d8cc15fb4ca3568a58534
-
SHA512
efd071a1f15019f2d8cef236bc7d012aff6885cbc073bdad1ababf30bfaec8d03189d8e9826fb450832f2009bc2d956032c37b000737592583381b10fc97f712
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1632-115-0x0000000074400000-0x0000000074430000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1368 1632 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1368 WerFault.exe Token: SeBackupPrivilege 1368 WerFault.exe Token: SeDebugPrivilege 1368 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 784 wrote to memory of 1632 784 rundll32.exe rundll32.exe PID 784 wrote to memory of 1632 784 rundll32.exe rundll32.exe PID 784 wrote to memory of 1632 784 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\744dc91773ed8445eab338eafb2dfc299c0c9a95bd5d8cc15fb4ca3568a58534.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\744dc91773ed8445eab338eafb2dfc299c0c9a95bd5d8cc15fb4ca3568a58534.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken