Analysis
-
max time kernel
26s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 06:48
Static task
static1
General
-
Target
5b7f5d11be442ed9859e310d644907de08de4fef18ce1cf1a4cc746f05a57451.dll
-
Size
184KB
-
MD5
bd2adb50ee688e5b28ceb7a0cdc087ed
-
SHA1
a35fbc6df7151260ae0d7bcae0581e3fd8a0662d
-
SHA256
5b7f5d11be442ed9859e310d644907de08de4fef18ce1cf1a4cc746f05a57451
-
SHA512
ddbe5b849aeac8d164acaaaa60e5e7a55727cbfa2a8446e6ca992cdd1e5c19ce9014249f509145cdcfd766286afe8091d0d971a2bcfb4e741b94551630bc3240
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1548-115-0x0000000074160000-0x0000000074190000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 936 1548 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe 936 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 936 WerFault.exe Token: SeBackupPrivilege 936 WerFault.exe Token: SeDebugPrivilege 936 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 860 wrote to memory of 1548 860 rundll32.exe rundll32.exe PID 860 wrote to memory of 1548 860 rundll32.exe rundll32.exe PID 860 wrote to memory of 1548 860 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b7f5d11be442ed9859e310d644907de08de4fef18ce1cf1a4cc746f05a57451.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b7f5d11be442ed9859e310d644907de08de4fef18ce1cf1a4cc746f05a57451.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken