Analysis
-
max time kernel
26s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-06-2021 23:08
Static task
static1
General
-
Target
45092a57c39a89f1f57de496a4ba42e883495446bcf6e4c2086f6a8ea57eff7c.dll
-
Size
163KB
-
MD5
dd2bcd6342398d751e53a10a9982f5f3
-
SHA1
792d580f5f760267c0340b1233a1a908c180f5d7
-
SHA256
45092a57c39a89f1f57de496a4ba42e883495446bcf6e4c2086f6a8ea57eff7c
-
SHA512
5061f6b0553f1d52f97063ac319f84d5759bc7260348d2f993d867ef3dfaa12d6b9c57448674277b603ffb3fd55125fc811fde3120af7cd7dc1dc15554d5659e
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
43.229.206.212:443
82.209.17.209:8172
162.241.209.225:4125
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3148-115-0x0000000010000000-0x000000001002E000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1324 3148 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe 1324 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1324 WerFault.exe Token: SeBackupPrivilege 1324 WerFault.exe Token: SeDebugPrivilege 1324 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3008 wrote to memory of 3148 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 3148 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 3148 3008 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\45092a57c39a89f1f57de496a4ba42e883495446bcf6e4c2086f6a8ea57eff7c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\45092a57c39a89f1f57de496a4ba42e883495446bcf6e4c2086f6a8ea57eff7c.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 7203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken