Analysis
-
max time kernel
18s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:13
Static task
static1
General
-
Target
9ff5c1526b2425964760609ac30451f72be52f2b060c26863a380b094d6d94fa.dll
-
Size
174KB
-
MD5
1225452bc5647438782fe992004aa2b4
-
SHA1
04e8261cba2cb958155f4ab6e71415fb1db5e806
-
SHA256
9ff5c1526b2425964760609ac30451f72be52f2b060c26863a380b094d6d94fa
-
SHA512
8e2e9875dbd493c0093e0295ef70fc51457546bf150f814cf87fec172fe000c90f6e562b85e47bfa2bcf6af2b1cbd45854f2d8f58b596a24e1a345b488db3c03
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4460-115-0x0000000074290000-0x00000000742C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8 4460 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 8 WerFault.exe Token: SeBackupPrivilege 8 WerFault.exe Token: SeDebugPrivilege 8 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4444 wrote to memory of 4460 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4460 4444 rundll32.exe rundll32.exe PID 4444 wrote to memory of 4460 4444 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ff5c1526b2425964760609ac30451f72be52f2b060c26863a380b094d6d94fa.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ff5c1526b2425964760609ac30451f72be52f2b060c26863a380b094d6d94fa.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken