Analysis
-
max time kernel
25s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 07:02
Static task
static1
General
-
Target
32aef1203c3933746496d096913df260da7e02ac7544daffb0ee6cb372017a38.dll
-
Size
184KB
-
MD5
c9e8635fd42596b7b7f6f771547ecf26
-
SHA1
30ef5a062124434472b121081ce8696d540948ba
-
SHA256
32aef1203c3933746496d096913df260da7e02ac7544daffb0ee6cb372017a38
-
SHA512
81de96cc6ff90f17fffb14001ebcda0f4ca5efeae45151afa9788111c217ea675793e54b3eb160f84b0253321f759492840bfac4fb4e06bc5b67bbe5731018c4
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1816-115-0x0000000073F50000-0x0000000073F80000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1304 1816 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe 1304 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1304 WerFault.exe Token: SeBackupPrivilege 1304 WerFault.exe Token: SeDebugPrivilege 1304 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1032 wrote to memory of 1816 1032 rundll32.exe rundll32.exe PID 1032 wrote to memory of 1816 1032 rundll32.exe rundll32.exe PID 1032 wrote to memory of 1816 1032 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32aef1203c3933746496d096913df260da7e02ac7544daffb0ee6cb372017a38.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32aef1203c3933746496d096913df260da7e02ac7544daffb0ee6cb372017a38.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken