Analysis
-
max time kernel
17s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:19
Static task
static1
General
-
Target
0ac93976fc04561aebc4ce978f3eb2ecafc7cfe121bbeff8bd03604ecf46608e.dll
-
Size
174KB
-
MD5
549636018761c1363c19ea818e3b6549
-
SHA1
22eeaa916257b9f82349fe595bb55f27b3d46a95
-
SHA256
0ac93976fc04561aebc4ce978f3eb2ecafc7cfe121bbeff8bd03604ecf46608e
-
SHA512
2bb378b52373c0cd03331d61fac26d03c46425a37b9b9e9264f1823f7232d68a4e07acbb82dd1a42c62631f2ca3458d9094d086d151e2737d81873d621cc1bae
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3808-115-0x0000000073B80000-0x0000000073BB0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3252 3808 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3252 WerFault.exe Token: SeBackupPrivilege 3252 WerFault.exe Token: SeDebugPrivilege 3252 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3988 wrote to memory of 3808 3988 rundll32.exe rundll32.exe PID 3988 wrote to memory of 3808 3988 rundll32.exe rundll32.exe PID 3988 wrote to memory of 3808 3988 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ac93976fc04561aebc4ce978f3eb2ecafc7cfe121bbeff8bd03604ecf46608e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ac93976fc04561aebc4ce978f3eb2ecafc7cfe121bbeff8bd03604ecf46608e.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken