Analysis
-
max time kernel
18s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-08-2021 06:19
Static task
static1
General
-
Target
a6991cbbcf894e3036ce9513dfa591a189649c2f25c80f935e62eef966677f6e.dll
-
Size
184KB
-
MD5
b064c99bc482e2a8a60c9fc738417e46
-
SHA1
c1f460ded0418b2c4a9ab7204d04cb1d0f634559
-
SHA256
a6991cbbcf894e3036ce9513dfa591a189649c2f25c80f935e62eef966677f6e
-
SHA512
a1db242e3e15756c36f00d622306685aff494e2a5c8a9599a2a5a37c57c258e80de4c8931a3a348864dc5b8bb3da81cb06cb119ee84017ef4ec7ca502a24a524
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3148-115-0x0000000073DE0000-0x0000000073E10000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2792 3148 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2792 WerFault.exe Token: SeBackupPrivilege 2792 WerFault.exe Token: SeDebugPrivilege 2792 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3892 wrote to memory of 3148 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 3148 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 3148 3892 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6991cbbcf894e3036ce9513dfa591a189649c2f25c80f935e62eef966677f6e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6991cbbcf894e3036ce9513dfa591a189649c2f25c80f935e62eef966677f6e.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken