Analysis
-
max time kernel
66s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 14:59
Static task
static1
Behavioral task
behavioral1
Sample
5_.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
5_.dll
-
Size
180KB
-
MD5
08c304d50ad0d6f861a2e81e95cf0b75
-
SHA1
91c1774abb3f92e89b00635202f2e3b5afa2f4e1
-
SHA256
2d8223ba637f3be700601fcc922bed02dc5ce060a23c2c34138dfcd9362320e8
-
SHA512
fa72fbf54705fa38a4849392e1943f367f6876a3a848f90f26dbf30925cc75d3ab04d832d9dc1948720f368d378696a9fe7560996ceeda545ed3d3b09f6cad56
Malware Config
Extracted
Family
dridex
Botnet
22203
C2
155.138.203.91:443
207.180.220.242:8116
46.101.142.214:6891
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/588-116-0x0000000073F60000-0x0000000073F8F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3172 588 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3172 WerFault.exe Token: SeBackupPrivilege 3172 WerFault.exe Token: SeDebugPrivilege 3172 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2680 wrote to memory of 588 2680 rundll32.exe rundll32.exe PID 2680 wrote to memory of 588 2680 rundll32.exe rundll32.exe PID 2680 wrote to memory of 588 2680 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5_.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5_.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken