Analysis
-
max time kernel
23s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
16d2072700d11c35a65fd56caef17dc028bda2c45c4bf0fc0e02b217f32e872a.dll
-
Size
174KB
-
MD5
cf342d67b3d927d8e3676404be8d941f
-
SHA1
f5c53cb8a283ac807fa1e7f8d8e499c5edf53d62
-
SHA256
16d2072700d11c35a65fd56caef17dc028bda2c45c4bf0fc0e02b217f32e872a
-
SHA512
41600ae778976a9c8c3ca06302ebd67c5531ad1aa0b87e3b4a3d540e225a4a655be90ca839a0044596204c062e9b891e541bcf2da7b7ea572ffc42a5daaf3b86
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3496-115-0x0000000073530000-0x0000000073560000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3832 3496 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3832 WerFault.exe Token: SeBackupPrivilege 3832 WerFault.exe Token: SeDebugPrivilege 3832 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4024 wrote to memory of 3496 4024 rundll32.exe rundll32.exe PID 4024 wrote to memory of 3496 4024 rundll32.exe rundll32.exe PID 4024 wrote to memory of 3496 4024 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16d2072700d11c35a65fd56caef17dc028bda2c45c4bf0fc0e02b217f32e872a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16d2072700d11c35a65fd56caef17dc028bda2c45c4bf0fc0e02b217f32e872a.dll,#12⤵PID:3496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832