Analysis
-
max time kernel
25s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 06:07
Static task
static1
General
-
Target
79aebe0f1c20805eb6e26fbf37f709d989c48d20fff1a89ee416e788c916f107.dll
-
Size
184KB
-
MD5
6622b0239ff4422e204c8e0c820181e1
-
SHA1
3e85423624d87fa4b7daa7dcf3cebd4aa19c2c60
-
SHA256
79aebe0f1c20805eb6e26fbf37f709d989c48d20fff1a89ee416e788c916f107
-
SHA512
60ed78bb22300bf0579aa633fc98447487b2a44a7bd82663d7284147f4c20a38b5ae64ffb15cdb605235702c393e18b24731bbf9942aa145e6407871dab4240f
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1040-115-0x0000000074310000-0x0000000074340000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2316 1040 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe 2316 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2316 WerFault.exe Token: SeBackupPrivilege 2316 WerFault.exe Token: SeDebugPrivilege 2316 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 800 wrote to memory of 1040 800 rundll32.exe rundll32.exe PID 800 wrote to memory of 1040 800 rundll32.exe rundll32.exe PID 800 wrote to memory of 1040 800 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\79aebe0f1c20805eb6e26fbf37f709d989c48d20fff1a89ee416e788c916f107.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\79aebe0f1c20805eb6e26fbf37f709d989c48d20fff1a89ee416e788c916f107.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken