Analysis
-
max time kernel
26s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 06:57
Static task
static1
General
-
Target
4d619209dc6f4b31d57955d2b06f6b0f2b1f629e5d922d28274abf7bb0a157a9.dll
-
Size
184KB
-
MD5
c267d81060793bd960749cfcbf37f4c0
-
SHA1
9c5bc4cf796bfd813e11d431096855b764643316
-
SHA256
4d619209dc6f4b31d57955d2b06f6b0f2b1f629e5d922d28274abf7bb0a157a9
-
SHA512
b31c067cda0c9c9a3adb5f027ef67fcf69f1836a2721b6627d0a9133bd3d046ad4b23cf239c6afbd21c5b6eb34ad475bdf3b43d4d0001e150b4f34efac6489eb
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1892-115-0x0000000073530000-0x0000000073560000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1588 1892 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe 1588 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1588 WerFault.exe Token: SeBackupPrivilege 1588 WerFault.exe Token: SeDebugPrivilege 1588 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3628 wrote to memory of 1892 3628 rundll32.exe rundll32.exe PID 3628 wrote to memory of 1892 3628 rundll32.exe rundll32.exe PID 3628 wrote to memory of 1892 3628 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d619209dc6f4b31d57955d2b06f6b0f2b1f629e5d922d28274abf7bb0a157a9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d619209dc6f4b31d57955d2b06f6b0f2b1f629e5d922d28274abf7bb0a157a9.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken