Analysis
-
max time kernel
18s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:35
Static task
static1
General
-
Target
cbf8be917b0c7dae7e83cde3a781e8074022cc6dfa059d87c96895992b74736b.dll
-
Size
174KB
-
MD5
2b93de9fb6b448ee31455917281973ab
-
SHA1
774db59d3d816d968d9f5669f03076bb90bffc6f
-
SHA256
cbf8be917b0c7dae7e83cde3a781e8074022cc6dfa059d87c96895992b74736b
-
SHA512
f657cd36872c39d3e48b3724e6332f7c0b28e19a550f747d552ba2e4aad8bb76ba6b61a77aae0baa27cc7adb46ea0157b98bdb88be4fece3c2db8f147df25d06
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3452-115-0x00000000742E0000-0x0000000074310000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3596 3452 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe 3596 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3596 WerFault.exe Token: SeBackupPrivilege 3596 WerFault.exe Token: SeDebugPrivilege 3596 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4092 wrote to memory of 3452 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 3452 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 3452 4092 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cbf8be917b0c7dae7e83cde3a781e8074022cc6dfa059d87c96895992b74736b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cbf8be917b0c7dae7e83cde3a781e8074022cc6dfa059d87c96895992b74736b.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken