Analysis
-
max time kernel
26s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 06:52
Static task
static1
General
-
Target
24ba18d186dd6ea3813e6b945a6adc39a68310f06ec949039f4f43fa5b037f6d.dll
-
Size
184KB
-
MD5
1c52aa233e3c9bba12abb71d3c47405f
-
SHA1
2f6b920e5ac9b0ff3bb433907f014d9f467b0886
-
SHA256
24ba18d186dd6ea3813e6b945a6adc39a68310f06ec949039f4f43fa5b037f6d
-
SHA512
2eb4e1d530af6fdaf883c36689b766e0ee21413da070734f29580a6df2841903f3e2c7aa96ac745f8b8eed9ee9b76fef7480371affd330d0100a018d1a7f06a1
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4024-115-0x0000000074260000-0x0000000074290000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3772 4024 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe 3772 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3772 WerFault.exe Token: SeBackupPrivilege 3772 WerFault.exe Token: SeDebugPrivilege 3772 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 996 wrote to memory of 4024 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 4024 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 4024 996 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24ba18d186dd6ea3813e6b945a6adc39a68310f06ec949039f4f43fa5b037f6d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24ba18d186dd6ea3813e6b945a6adc39a68310f06ec949039f4f43fa5b037f6d.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 6323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken