Analysis
-
max time kernel
18s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 00:36
Static task
static1
General
-
Target
d807a798877099d313ce47bfc818c927962d2c32cccb2d975f0dccbbb1a791de.dll
-
Size
174KB
-
MD5
d3b34393e38e4f86a94b2bb1a89536eb
-
SHA1
8e9b4848bfc9b30c8819de21e484a812c1da26cb
-
SHA256
d807a798877099d313ce47bfc818c927962d2c32cccb2d975f0dccbbb1a791de
-
SHA512
ba861377510ec03b49f12369470641201098a3b429678dbaa82e4f8391b96037b20ef3b5b209b990c1ca21a0a871fdb3a3529d58bf387962b9cfdf48f02d4506
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
178.128.220.64:30333
45.79.91.89:9987
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4468-115-0x0000000073820000-0x0000000073850000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4040 4468 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe 4040 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4040 WerFault.exe Token: SeBackupPrivilege 4040 WerFault.exe Token: SeDebugPrivilege 4040 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4452 wrote to memory of 4468 4452 rundll32.exe rundll32.exe PID 4452 wrote to memory of 4468 4452 rundll32.exe rundll32.exe PID 4452 wrote to memory of 4468 4452 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d807a798877099d313ce47bfc818c927962d2c32cccb2d975f0dccbbb1a791de.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d807a798877099d313ce47bfc818c927962d2c32cccb2d975f0dccbbb1a791de.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken