Analysis
-
max time kernel
18s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:11
Static task
static1
General
-
Target
487f058ae02ca92bdaf36b352f4540c35bd72f7934a00fe60e9e4a0ddde1af10.dll
-
Size
174KB
-
MD5
179225711b802811f3a677998506a0b5
-
SHA1
5df4b5653363340965c1210d4b3adf31842ed924
-
SHA256
487f058ae02ca92bdaf36b352f4540c35bd72f7934a00fe60e9e4a0ddde1af10
-
SHA512
43613b5ef96809bdd5974d1dc0dcc4a99a787e102bcd757585b8a0a77c098b84eee61915501ba8f9b4f00c9a731a5c813065e3e82c923037829662d44b4e9b40
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4056-115-0x0000000074480000-0x00000000744B0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4052 4056 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe 4052 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4052 WerFault.exe Token: SeBackupPrivilege 4052 WerFault.exe Token: SeDebugPrivilege 4052 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3560 wrote to memory of 4056 3560 rundll32.exe rundll32.exe PID 3560 wrote to memory of 4056 3560 rundll32.exe rundll32.exe PID 3560 wrote to memory of 4056 3560 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\487f058ae02ca92bdaf36b352f4540c35bd72f7934a00fe60e9e4a0ddde1af10.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\487f058ae02ca92bdaf36b352f4540c35bd72f7934a00fe60e9e4a0ddde1af10.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken