Analysis
-
max time kernel
17s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
006ac0122193622662a0dd766ac7e2c1951cc1c1d2623d683c5fc731e7225803.dll
-
Size
174KB
-
MD5
7d717e0f65b4f35c9f94aebf4abb35a7
-
SHA1
9426078793d2b8ca1f8ae6547e0118d0ea6875f9
-
SHA256
006ac0122193622662a0dd766ac7e2c1951cc1c1d2623d683c5fc731e7225803
-
SHA512
e3314038b72f84b3d60eb26eb467eba3038d9e594a559f85e05865bc9ca407787a0a367c611ceae74997b43e3abe7dc256583d75cc57d2faa9faecab0d9cc175
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/8-115-0x0000000073860000-0x0000000073890000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 732 8 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe 732 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 732 WerFault.exe Token: SeBackupPrivilege 732 WerFault.exe Token: SeDebugPrivilege 732 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4056 wrote to memory of 8 4056 rundll32.exe rundll32.exe PID 4056 wrote to memory of 8 4056 rundll32.exe rundll32.exe PID 4056 wrote to memory of 8 4056 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\006ac0122193622662a0dd766ac7e2c1951cc1c1d2623d683c5fc731e7225803.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\006ac0122193622662a0dd766ac7e2c1951cc1c1d2623d683c5fc731e7225803.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken