Analysis
-
max time kernel
25s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 06:32
Static task
static1
General
-
Target
6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602.dll
-
Size
184KB
-
MD5
af9649c78f01c1f66ed3bd168a9f0706
-
SHA1
7d0a50042d24497680bbbb80e2f15bcda4eb834f
-
SHA256
6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602
-
SHA512
9c27f47ae305c9174df8c0f5a8aaf19aad8e904d619870e266cb356bdc933ada441230e419ecd5f8eacadfdf3b8aa2ec3e568850cc36d7ec4b45ce2c63d7da86
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4024-115-0x0000000073990000-0x00000000739C0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2268 4024 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2268 WerFault.exe Token: SeBackupPrivilege 2268 WerFault.exe Token: SeDebugPrivilege 2268 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3128 wrote to memory of 4024 3128 rundll32.exe rundll32.exe PID 3128 wrote to memory of 4024 3128 rundll32.exe rundll32.exe PID 3128 wrote to memory of 4024 3128 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d0591b18184752ace4b031e3f295c2f9bf496fb7a1fa098bbdbeab4b6108602.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken