Analysis
-
max time kernel
23s -
max time network
85s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 00:29
Static task
static1
General
-
Target
ba90231dcc85c052d43e1acc537300769701fb91c0a99a5342f312e8c7c5b4f7.dll
-
Size
174KB
-
MD5
399942bfb061554be12528d382681686
-
SHA1
ecb4d33ea5c8970872d7271c5f9ab5cfbb9bc3f0
-
SHA256
ba90231dcc85c052d43e1acc537300769701fb91c0a99a5342f312e8c7c5b4f7
-
SHA512
a6e320a0522fb2e3b7cd0a93474e6db43695efd2a894dd0c93396b1baed560174436b979c693d812380028c7030562d176e7a57376c389e2c9a12b789dbcdaea
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4000-115-0x0000000073A70000-0x0000000073AA0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2032 4000 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe 2032 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2032 WerFault.exe Token: SeBackupPrivilege 2032 WerFault.exe Token: SeDebugPrivilege 2032 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 660 wrote to memory of 4000 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 4000 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 4000 660 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ba90231dcc85c052d43e1acc537300769701fb91c0a99a5342f312e8c7c5b4f7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ba90231dcc85c052d43e1acc537300769701fb91c0a99a5342f312e8c7c5b4f7.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 6483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken