Analysis
-
max time kernel
25s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-06-2021 22:54
Static task
static1
General
-
Target
b633c347e08e28fb3f88ef91e467d6c482476ab8ad77cd3443a9cb76a34ba444.dll
-
Size
173KB
-
MD5
f24942f4164213e0579f35767466fba6
-
SHA1
75d185cf11c73da176ba1f37c09180cd1d4496fe
-
SHA256
b633c347e08e28fb3f88ef91e467d6c482476ab8ad77cd3443a9cb76a34ba444
-
SHA512
ff3f79c724b8355d80f28c459a668f23ea19a6d4a8febf718a17c690334d35eb9bb439ba3acf7305dd959dd1cfe7beba381fd22f9c267a64bd7d2426745e122b
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
94.23.86.141:13783
62.75.161.205:2303
162.214.188.105:8172
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3396-115-0x0000000073F20000-0x0000000073F50000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3720 3396 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3720 WerFault.exe Token: SeBackupPrivilege 3720 WerFault.exe Token: SeDebugPrivilege 3720 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3728 wrote to memory of 3396 3728 rundll32.exe rundll32.exe PID 3728 wrote to memory of 3396 3728 rundll32.exe rundll32.exe PID 3728 wrote to memory of 3396 3728 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b633c347e08e28fb3f88ef91e467d6c482476ab8ad77cd3443a9cb76a34ba444.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b633c347e08e28fb3f88ef91e467d6c482476ab8ad77cd3443a9cb76a34ba444.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken