Analysis
-
max time kernel
17s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-08-2021 06:35
Static task
static1
General
-
Target
5472915c37688d279e7a08257278c7069eb8d91e083eb1184592faef5f77097d.dll
-
Size
184KB
-
MD5
6c0a00fc18b8c553ef2c42ff9bc8832f
-
SHA1
65ee8fdffe2b7f1ed4420654bfc3cfe8af1bdb81
-
SHA256
5472915c37688d279e7a08257278c7069eb8d91e083eb1184592faef5f77097d
-
SHA512
a1b2812953e7f854629191477e68d78394064bff9d71f62444e9c9cb631d6f18ff44e50d64e769c313c7771a8612bf2f9f41be2278c85ebdcc737aa8aef4f80e
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3124-115-0x0000000073E80000-0x0000000073EB0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3524 3124 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe 3524 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3524 WerFault.exe Token: SeBackupPrivilege 3524 WerFault.exe Token: SeDebugPrivilege 3524 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3368 wrote to memory of 3124 3368 rundll32.exe rundll32.exe PID 3368 wrote to memory of 3124 3368 rundll32.exe rundll32.exe PID 3368 wrote to memory of 3124 3368 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5472915c37688d279e7a08257278c7069eb8d91e083eb1184592faef5f77097d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5472915c37688d279e7a08257278c7069eb8d91e083eb1184592faef5f77097d.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken