Analysis
-
max time kernel
24s -
max time network
88s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 05:51
Static task
static1
General
-
Target
3e05f0efff6972db49baf54d474642cd074fcbf1e66ce1ddc2498cfe126e5c96.dll
-
Size
184KB
-
MD5
11800a586efc51695050b65d01965788
-
SHA1
64831edd8c2f12b2373d3e455264a65538cc139c
-
SHA256
3e05f0efff6972db49baf54d474642cd074fcbf1e66ce1ddc2498cfe126e5c96
-
SHA512
e00c2fbc3d318df6eae815abe3f2ac80ad0d1f1d78d0ad778be2a2c95d345f570370295fde04edfb4ad3e36f6532081230d1e93c39eac2de99a8c9b15e85626a
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1284-115-0x0000000074350000-0x0000000074380000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 940 1284 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe 940 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 940 WerFault.exe Token: SeBackupPrivilege 940 WerFault.exe Token: SeDebugPrivilege 940 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 652 wrote to memory of 1284 652 rundll32.exe rundll32.exe PID 652 wrote to memory of 1284 652 rundll32.exe rundll32.exe PID 652 wrote to memory of 1284 652 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e05f0efff6972db49baf54d474642cd074fcbf1e66ce1ddc2498cfe126e5c96.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e05f0efff6972db49baf54d474642cd074fcbf1e66ce1ddc2498cfe126e5c96.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken