Analysis
-
max time kernel
19s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-08-2021 06:44
Static task
static1
General
-
Target
7db0662a3c8cc22f6c1331d9cbe3ad34cc9e908b57d99cb0eeb1da918162f096.dll
-
Size
184KB
-
MD5
fff34c8ef0e99bc6ca689adef2993e3d
-
SHA1
6449851ca916de8e2013d84ceb46da812eebeb9f
-
SHA256
7db0662a3c8cc22f6c1331d9cbe3ad34cc9e908b57d99cb0eeb1da918162f096
-
SHA512
40b90f1a0acd8d5afd859677be2520c2d3075ce1f1ddbcaa4f734e1bc37b5746743ef38cc5df1d4668e87c8e316d22aae0e8751cc3469795eae1a0de0b70f6fe
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/804-115-0x0000000073DE0000-0x0000000073E10000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1564 804 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1564 WerFault.exe Token: SeBackupPrivilege 1564 WerFault.exe Token: SeDebugPrivilege 1564 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2896 wrote to memory of 804 2896 rundll32.exe rundll32.exe PID 2896 wrote to memory of 804 2896 rundll32.exe rundll32.exe PID 2896 wrote to memory of 804 2896 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7db0662a3c8cc22f6c1331d9cbe3ad34cc9e908b57d99cb0eeb1da918162f096.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7db0662a3c8cc22f6c1331d9cbe3ad34cc9e908b57d99cb0eeb1da918162f096.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken