Analysis
-
max time kernel
17s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:28
Static task
static1
General
-
Target
813cffe5436c6e4c69d46ec1dfaafca0cb0c58c782178a073b4a357588db8f6b.dll
-
Size
174KB
-
MD5
52e623c3bc301dc7ee2d7e9731382cd2
-
SHA1
b8484e26130ae37ef04c04b5f3a2daf6227b47a5
-
SHA256
813cffe5436c6e4c69d46ec1dfaafca0cb0c58c782178a073b4a357588db8f6b
-
SHA512
e2d935b8200ed9187ec39af7b1a2b438cd6e77cd65d2e412d768d585dd7e88d5626757dc26838a07e0725c4dc83b9e0a0e6c025a5a6d970a6d5615591f7369d1
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3888-115-0x0000000074090000-0x00000000740C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3104 3888 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe 3104 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3104 WerFault.exe Token: SeBackupPrivilege 3104 WerFault.exe Token: SeDebugPrivilege 3104 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3932 wrote to memory of 3888 3932 rundll32.exe rundll32.exe PID 3932 wrote to memory of 3888 3932 rundll32.exe rundll32.exe PID 3932 wrote to memory of 3888 3932 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\813cffe5436c6e4c69d46ec1dfaafca0cb0c58c782178a073b4a357588db8f6b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\813cffe5436c6e4c69d46ec1dfaafca0cb0c58c782178a073b4a357588db8f6b.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken